Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Windows Defender.exe

Overview

General Information

Sample name:Windows Defender.exe
Analysis ID:1478314
MD5:f6d9f758f360decaf8e73f885be02571
SHA1:ffc684a4500ade8e4e10e341880480db574a8642
SHA256:03072c4acdc40c9aa06aab693d7a200934d5025d4c3ce46409ac6b435f2973bc
Tags:64exeformbookxworm
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Windows Defender.exe (PID: 6848 cmdline: "C:\Users\user\Desktop\Windows Defender.exe" MD5: F6D9F758F360DECAF8E73F885BE02571)
    • powershell.exe (PID: 6248 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4296 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 928 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows defender.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Windows defender.exe (PID: 4144 cmdline: "C:\Users\user\AppData\Roaming\Windows defender.exe" MD5: F6D9F758F360DECAF8E73F885BE02571)
  • Windows defender.exe (PID: 2896 cmdline: "C:\Users\user\AppData\Roaming\Windows defender.exe" MD5: F6D9F758F360DECAF8E73F885BE02571)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["rest-root.gl.at.ply.gg"], "Port": "22746", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Windows Defender.exeJoeSecurity_XWormYara detected XWormJoe Security
    Windows Defender.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      Windows Defender.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xd67c:$s6: VirtualBox
      • 0xd5da:$s8: Win32_ComputerSystem
      • 0x10569:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x10606:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1071b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xf0e6:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\Windows defender.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\Windows defender.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\Windows defender.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xd67c:$s6: VirtualBox
          • 0xd5da:$s8: Win32_ComputerSystem
          • 0x10569:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x10606:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x1071b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xf0e6:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xe0f4:$s6: VirtualBox
            • 0xe052:$s8: Win32_ComputerSystem
            • 0x10fe1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x1107e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x11193:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xfb5e:$cnc4: POST / HTTP/1.1
            00000000.00000002.2938486382.0000000002981000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xd47c:$s6: VirtualBox
                • 0xd3da:$s8: Win32_ComputerSystem
                • 0x10369:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x10406:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x1051b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xeee6:$cnc4: POST / HTTP/1.1
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.Windows Defender.exe.12991a78.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.2.Windows Defender.exe.12991a78.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.2.Windows Defender.exe.12991a78.0.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xd67c:$s6: VirtualBox
                    • 0xd5da:$s8: Win32_ComputerSystem
                    • 0x10569:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x10606:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x1071b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xf0e6:$cnc4: POST / HTTP/1.1
                    0.2.Windows Defender.exe.12991a78.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      0.2.Windows Defender.exe.12991a78.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0xb87c:$s6: VirtualBox
                      • 0xb7da:$s8: Win32_ComputerSystem
                      • 0xe769:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0xe806:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0xe91b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0xd2e6:$cnc4: POST / HTTP/1.1
                      Click to see the 3 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Windows Defender.exe", ParentImage: C:\Users\user\Desktop\Windows Defender.exe, ParentProcessId: 6848, ParentProcessName: Windows Defender.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', ProcessId: 6248, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Windows Defender.exe", ParentImage: C:\Users\user\Desktop\Windows Defender.exe, ParentProcessId: 6848, ParentProcessName: Windows Defender.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', ProcessId: 6248, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Windows defender.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Windows Defender.exe, ProcessId: 6848, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows defender
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Windows Defender.exe", ParentImage: C:\Users\user\Desktop\Windows Defender.exe, ParentProcessId: 6848, ParentProcessName: Windows Defender.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', ProcessId: 6248, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Windows Defender.exe, ProcessId: 6848, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows defender.lnk
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Windows Defender.exe", ParentImage: C:\Users\user\Desktop\Windows Defender.exe, ParentProcessId: 6848, ParentProcessName: Windows Defender.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', ProcessId: 6248, ProcessName: powershell.exe

                      Snort Signatures

                      Timestamp:07/22/24-14:04:13.386026
                      SID:2855924
                      Source Port:49737
                      Destination Port:22746
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Suricata Signatures

                      Timestamp:2024-07-22T14:04:13.386026+0200
                      SID:2855924
                      Source Port:49737
                      Destination Port:22746
                      Protocol:TCP
                      Classtype:Malware Command and Control Activity Detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: Windows Defender.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: rest-root.gl.at.ply.ggAvira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeAvira: detection malicious, Label: TR/Spy.Gen
                      Found malware configuration
                      Source: Windows Defender.exeMalware Configuration Extractor: Xworm {"C2 url": ["rest-root.gl.at.ply.gg"], "Port": "22746", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeReversingLabs: Detection: 73%
                      Multi AV Scanner detection for submitted file
                      Source: Windows Defender.exeReversingLabs: Detection: 73%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: Windows Defender.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: Windows Defender.exeString decryptor: rest-root.gl.at.ply.gg
                      Source: Windows Defender.exeString decryptor: 22746
                      Source: Windows Defender.exeString decryptor: <123456789>
                      Source: Windows Defender.exeString decryptor: <Xwormmm>
                      Source: Windows Defender.exeString decryptor: Windows Defender
                      Source: Windows Defender.exeString decryptor: USB.exe
                      Source: Windows Defender.exeString decryptor: %AppData%
                      Source: Windows Defender.exeString decryptor: Windows defender.exe
                      Source: Windows Defender.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Windows Defender.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\catroot2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\AppxSip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SYSTEM32\OpcServices.DLL
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\wshext.dll

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2855924 ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound 192.168.2.4:49737 -> 147.185.221.20:22746
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: rest-root.gl.at.ply.gg
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: Windows Defender.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.Windows Defender.exe.670000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows defender.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.4:49737 -> 147.185.221.20:22746
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 147.185.221.20 147.185.221.20
                      Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                      Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: rest-root.gl.at.ply.gg
                      Source: powershell.exe, 00000001.00000002.1777599701.00000183768D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                      Source: powershell.exe, 00000007.00000002.2019157164.000002C4FB5E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                      Source: powershell.exe, 00000007.00000002.2019157164.000002C4FB5E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                      Source: powershell.exe, 00000001.00000002.1776503483.0000018376630000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                      Source: powershell.exe, 00000004.00000002.1872277415.00000166D3E9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
                      Source: Windows Defender.exe, Windows defender.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: powershell.exe, 00000001.00000002.1770364691.000001836E151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1857314352.00000166CB7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1985826490.000002C490071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 0000000B.00000002.2221696230.000001732C5A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://osoft.co
                      Source: powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000001.00000002.1754844090.000001835E309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB969000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: Windows Defender.exe, 00000000.00000002.2938486382.0000000002981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1754844090.000001835E0E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000001.00000002.1754844090.000001835E309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB969000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 00000007.00000002.2013027015.000002C4FB0FF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0
                      Source: powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 0000000B.00000002.2218935309.000001732C280000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.?
                      Source: powershell.exe, 0000000B.00000002.2221696230.000001732C5F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                      Source: powershell.exe, 00000001.00000002.1754844090.000001835E0E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000001.00000002.1770364691.000001836E151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1857314352.00000166CB7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1985826490.000002C490071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: Windows Defender.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.Windows Defender.exe.12991a78.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.0.Windows Defender.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 0_2_00007FFD9B8B5F5E0_2_00007FFD9B8B5F5E
                      Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 0_2_00007FFD9B8B17190_2_00007FFD9B8B1719
                      Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 0_2_00007FFD9B8B21B10_2_00007FFD9B8B21B1
                      Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 0_2_00007FFD9B8B6D0E0_2_00007FFD9B8B6D0E
                      Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 0_2_00007FFD9B8B108D0_2_00007FFD9B8B108D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B9730E91_2_00007FFD9B9730E9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B8B947D7_2_00007FFD9B8B947D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B9630E911_2_00007FFD9B9630E9
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeCode function: 13_2_00007FFD9B87171913_2_00007FFD9B871719
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeCode function: 13_2_00007FFD9B87103813_2_00007FFD9B871038
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeCode function: 14_2_00007FFD9B8A171914_2_00007FFD9B8A1719
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeCode function: 14_2_00007FFD9B8A103814_2_00007FFD9B8A1038
                      Source: Windows Defender.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Windows Defender.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.Windows Defender.exe.12991a78.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.0.Windows Defender.exe.670000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: Windows Defender.exe, k9ZEaIQ7WE7abcI.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Windows Defender.exe, sjmftLizVeKZw8R.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Windows Defender.exe, sjmftLizVeKZw8R.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Windows defender.exe.0.dr, k9ZEaIQ7WE7abcI.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Windows defender.exe.0.dr, sjmftLizVeKZw8R.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Windows defender.exe.0.dr, sjmftLizVeKZw8R.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, k9ZEaIQ7WE7abcI.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, sjmftLizVeKZw8R.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, sjmftLizVeKZw8R.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Windows Defender.exe, DNAvWoxlxYdwRmJ.csBase64 encoded string: 'UEic17gcdPhei7NnSlP1I0Y58TvKNTbgrbxsIk5USybNlzFCkAlPuXlyHhTWVtuIOh2yjhKVZAfTP5zk'
                      Source: Windows Defender.exe, k9ZEaIQ7WE7abcI.csBase64 encoded string: 'rdcKgil9jw1X2zdhihPXMwx7NCEcpYuAy8GxwHjnbaqaCLbIs27TnYWaWe1xcOjZQGlC3JnA6kJmSSCg'
                      Source: Windows Defender.exe, I3Th8Mh3i2t6BO8.csBase64 encoded string: 'ooPbg3qvntthc1Q2MOaYfqnYeCorl1rGWJAqDjvVK7DZlR1HF8qVL2TtZT2FehNaORfpdfWI4xIKVGOW', 'h9zhxh8trJDojSxz4ITn1YDS9EBVcSKfoSMLUNeofbxf7OXBUGFWirolxmtB1QmR3yLjIYz1Jbf70ld4'
                      Source: Windows Defender.exe, sjmftLizVeKZw8R.csBase64 encoded string: 'WEghI6uy2hFG1KHMgJsxoeGDRWzqEtXs8BJ5FHd0UUsFI9xL92oq63FtNLGtTw2sloDAYe86xqB7xWXt', 'goU85lIv4pENuscgMlWnuHS2oToHNclhUeiw1bQyy3BRHZkddyFpORvr5PP0EKuQsTlLKXC1p4cENgGr', 'u157DBp3iqR0B6XEZqjM42CgiUFW8T92NU4BAOhwquDkhRdMBsSRYe3q0ySCXVY41HLaPayoYhYbajoK', 'tqQq3wWS7UeKjGfGpnRdlcBpI3wfpTJh73RVES4EmHVEHFQqzNTy1f0bMk0mVTx3pbPLNFw9u1ReOW6w', 'wd7w6tcGfInQeyX9f5URfqDdOrpwKnz6mRWILeMPyLBeJlKht2NlbHY6bA2j3aQjHclStR97zJuKSzyW', 'WnJk9xds6ydUfk9kYx3UmjnpPwVHYl0N9PXCifxGEbl0JaGMHSZSp3USKAX4jTQmffZNsCf0CrWmb6Ky', 'TmqrLHLStmuvVyBREn23NU36bUw6coOO3DKqyX6KEdnaLxzj6jKamhdm7B70VDI9NjKBrsaWPPmgLZvj', 'r9l0Gd958lkcLlCpgsAQlzFEmniYPhTO9bAv8mPCy3aD0FXmzLOzgVPhxOxNlDMaZZm6PYGEiZu477I4', 'rKRJC6Ohqhl8eju1hY25TerPmTIDZYfFw6VVcVUxBoOiru5yZrQMI81x3KvuCWSi2DDDhoPT8arLkRev', 'peqHxWF4qkAxGfZzCiLc9DOMMepLszbIlaZAZK7bPIgpg9Pfq1I5ZkjGHNcjNkeRrGlnSK15S8MtEmpm', 'oz2CHMvGGyPS5AfvXkUNKRWY70JRmDKBsB3OodHfbmgG6aj0wJlG0vaIV3O2joyTwzaUbAoxX83agaMp'
                      Source: Windows Defender.exe, hkW0iHAt1n34uyi.csBase64 encoded string: 'ViJekX5myKyv49Z0rre4JgYbfabIkBmeQsIX0Lgd7HE2xxZQzMKkuFIVWP7D4qRmvir9dxSWtJ8IIX4p', 'zwD8WMc2WdKuVghVOFcg7UFSnswD7Nb6XXBVIff0WZuHnwmBYVmREHZXo5SGWC8nHVlwKx25WsDMTJIP', 'XF17ykcQAwVhqNmkqgqloozK6dJVhA90CNaNs8R49dbRb3NO4juUdeYTuDRBTWfQ3ozUVm3AbXwfDdcy', 'KEY4Vx29ifLGrOd4mzqFUgQFQWGAhK4tJZ9qfes3PNXMWLL68pOcGjPP4JpNgBjkACfl3KRqrxXT14T2'
                      Source: Windows Defender.exe, cwqxDxQiWlgCHGb.csBase64 encoded string: 'ZVH0I3tjoa1EqoTOQwyS3s1Pr9kdpODAaYH2Y5UxLB6MgijTZzCxyRsE2F9ORt54HNUvt9qBdMvEHPpQ', 'SpRLbf9VI6TjUykFmo9x1LpfSeva0PzcIz6eomkLPGMVXzc0Ys7qZ1xYjsMJ47OlUDbRMfpp0IQyW1op', 'V4p81Jz72fONymG0ufV4eOafKCddIidlLZKD6eLGhay9oToKxM1nGWxqdBthCGD9SIUaudEivy7m2J4c', 'GEAL1LI9RSVoLCL39R7H5RJxMKUVhXpSi99d1h28Vi8H9xeKkhts6HrLYmjPGLrbvMHSFvc5Fx3DCPLz', 'Lm0SPRS8nECsoK8zCJpxprvXwYnvtnTLTOZZ70Iu34zz9Zmq7Em9DmcSg8EAF2Odi4syFegf8Is0oJCm', 'S60u4i1SJ9h68Vmptzs1AIRSzItwQ7HIzAHWCERgOo87v8qDBPS3HAIK7ZbeNOPgb3HqUZZ9rD20GW54', 'W3O1L1iqrk8KhZ87RWoTqXVc4W2M2ObxSpXv7drMTpcKr8xwZ9PijAVxca3bYrp1HKtFzoxdfMzH5b25', 'ImqIeQfEfEMyLQcQIs3NOYe2TQLeusfAvxL7vfxIR0F5kavKW2smnIBHqOS4MchBmFKIgVBZcVcdPKTu', 'sPnkd3CF4h2wf0vADBLdSubVdskF9QK6YYDT7pAvmXhfvf3m4ZcKqKu5VrhTxjvcX9sYvAr6AE4I1MmI', 'Pwnz8L4g7Q1hkgJ1G6Y8tzeoRggKLIFcFm8I5Wb1IduXdvHK9QtF8xbpCI4JVuw7a4FkJGZ1kyja7INW', 'zTcoLtiDQUKEfbbQ9DMQA6t1vjQdNhiy2nhLIOymrl7HawDadJNdPVKyvmuuO9qUtf0MDMzx97Dfow7n', 'HssZBJNobvSzJLj2MqIbojCesksghFPp8FVlg2cMG3b1bECZar1xmRuNzJuazdBvqej1rtWFG6T65I7o', 'KMSLjKVtooNric6EzwGzjkjqc3f1ud45t8aBvjKmQ8lKIYTjir3D58mY5HBoiXzwzDx746dzREdaMrWl'
                      Source: Windows defender.exe.0.dr, DNAvWoxlxYdwRmJ.csBase64 encoded string: 'UEic17gcdPhei7NnSlP1I0Y58TvKNTbgrbxsIk5USybNlzFCkAlPuXlyHhTWVtuIOh2yjhKVZAfTP5zk'
                      Source: Windows defender.exe.0.dr, k9ZEaIQ7WE7abcI.csBase64 encoded string: 'rdcKgil9jw1X2zdhihPXMwx7NCEcpYuAy8GxwHjnbaqaCLbIs27TnYWaWe1xcOjZQGlC3JnA6kJmSSCg'
                      Source: Windows defender.exe.0.dr, I3Th8Mh3i2t6BO8.csBase64 encoded string: 'ooPbg3qvntthc1Q2MOaYfqnYeCorl1rGWJAqDjvVK7DZlR1HF8qVL2TtZT2FehNaORfpdfWI4xIKVGOW', 'h9zhxh8trJDojSxz4ITn1YDS9EBVcSKfoSMLUNeofbxf7OXBUGFWirolxmtB1QmR3yLjIYz1Jbf70ld4'
                      Source: Windows defender.exe.0.dr, sjmftLizVeKZw8R.csBase64 encoded string: 'WEghI6uy2hFG1KHMgJsxoeGDRWzqEtXs8BJ5FHd0UUsFI9xL92oq63FtNLGtTw2sloDAYe86xqB7xWXt', 'goU85lIv4pENuscgMlWnuHS2oToHNclhUeiw1bQyy3BRHZkddyFpORvr5PP0EKuQsTlLKXC1p4cENgGr', 'u157DBp3iqR0B6XEZqjM42CgiUFW8T92NU4BAOhwquDkhRdMBsSRYe3q0ySCXVY41HLaPayoYhYbajoK', 'tqQq3wWS7UeKjGfGpnRdlcBpI3wfpTJh73RVES4EmHVEHFQqzNTy1f0bMk0mVTx3pbPLNFw9u1ReOW6w', 'wd7w6tcGfInQeyX9f5URfqDdOrpwKnz6mRWILeMPyLBeJlKht2NlbHY6bA2j3aQjHclStR97zJuKSzyW', 'WnJk9xds6ydUfk9kYx3UmjnpPwVHYl0N9PXCifxGEbl0JaGMHSZSp3USKAX4jTQmffZNsCf0CrWmb6Ky', 'TmqrLHLStmuvVyBREn23NU36bUw6coOO3DKqyX6KEdnaLxzj6jKamhdm7B70VDI9NjKBrsaWPPmgLZvj', 'r9l0Gd958lkcLlCpgsAQlzFEmniYPhTO9bAv8mPCy3aD0FXmzLOzgVPhxOxNlDMaZZm6PYGEiZu477I4', 'rKRJC6Ohqhl8eju1hY25TerPmTIDZYfFw6VVcVUxBoOiru5yZrQMI81x3KvuCWSi2DDDhoPT8arLkRev', 'peqHxWF4qkAxGfZzCiLc9DOMMepLszbIlaZAZK7bPIgpg9Pfq1I5ZkjGHNcjNkeRrGlnSK15S8MtEmpm', 'oz2CHMvGGyPS5AfvXkUNKRWY70JRmDKBsB3OodHfbmgG6aj0wJlG0vaIV3O2joyTwzaUbAoxX83agaMp'
                      Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.csBase64 encoded string: 'ViJekX5myKyv49Z0rre4JgYbfabIkBmeQsIX0Lgd7HE2xxZQzMKkuFIVWP7D4qRmvir9dxSWtJ8IIX4p', 'zwD8WMc2WdKuVghVOFcg7UFSnswD7Nb6XXBVIff0WZuHnwmBYVmREHZXo5SGWC8nHVlwKx25WsDMTJIP', 'XF17ykcQAwVhqNmkqgqloozK6dJVhA90CNaNs8R49dbRb3NO4juUdeYTuDRBTWfQ3ozUVm3AbXwfDdcy', 'KEY4Vx29ifLGrOd4mzqFUgQFQWGAhK4tJZ9qfes3PNXMWLL68pOcGjPP4JpNgBjkACfl3KRqrxXT14T2'
                      Source: Windows defender.exe.0.dr, cwqxDxQiWlgCHGb.csBase64 encoded string: 'ZVH0I3tjoa1EqoTOQwyS3s1Pr9kdpODAaYH2Y5UxLB6MgijTZzCxyRsE2F9ORt54HNUvt9qBdMvEHPpQ', 'SpRLbf9VI6TjUykFmo9x1LpfSeva0PzcIz6eomkLPGMVXzc0Ys7qZ1xYjsMJ47OlUDbRMfpp0IQyW1op', 'V4p81Jz72fONymG0ufV4eOafKCddIidlLZKD6eLGhay9oToKxM1nGWxqdBthCGD9SIUaudEivy7m2J4c', 'GEAL1LI9RSVoLCL39R7H5RJxMKUVhXpSi99d1h28Vi8H9xeKkhts6HrLYmjPGLrbvMHSFvc5Fx3DCPLz', 'Lm0SPRS8nECsoK8zCJpxprvXwYnvtnTLTOZZ70Iu34zz9Zmq7Em9DmcSg8EAF2Odi4syFegf8Is0oJCm', 'S60u4i1SJ9h68Vmptzs1AIRSzItwQ7HIzAHWCERgOo87v8qDBPS3HAIK7ZbeNOPgb3HqUZZ9rD20GW54', 'W3O1L1iqrk8KhZ87RWoTqXVc4W2M2ObxSpXv7drMTpcKr8xwZ9PijAVxca3bYrp1HKtFzoxdfMzH5b25', 'ImqIeQfEfEMyLQcQIs3NOYe2TQLeusfAvxL7vfxIR0F5kavKW2smnIBHqOS4MchBmFKIgVBZcVcdPKTu', 'sPnkd3CF4h2wf0vADBLdSubVdskF9QK6YYDT7pAvmXhfvf3m4ZcKqKu5VrhTxjvcX9sYvAr6AE4I1MmI', 'Pwnz8L4g7Q1hkgJ1G6Y8tzeoRggKLIFcFm8I5Wb1IduXdvHK9QtF8xbpCI4JVuw7a4FkJGZ1kyja7INW', 'zTcoLtiDQUKEfbbQ9DMQA6t1vjQdNhiy2nhLIOymrl7HawDadJNdPVKyvmuuO9qUtf0MDMzx97Dfow7n', 'HssZBJNobvSzJLj2MqIbojCesksghFPp8FVlg2cMG3b1bECZar1xmRuNzJuazdBvqej1rtWFG6T65I7o', 'KMSLjKVtooNric6EzwGzjkjqc3f1ud45t8aBvjKmQ8lKIYTjir3D58mY5HBoiXzwzDx746dzREdaMrWl'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, DNAvWoxlxYdwRmJ.csBase64 encoded string: 'UEic17gcdPhei7NnSlP1I0Y58TvKNTbgrbxsIk5USybNlzFCkAlPuXlyHhTWVtuIOh2yjhKVZAfTP5zk'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, k9ZEaIQ7WE7abcI.csBase64 encoded string: 'rdcKgil9jw1X2zdhihPXMwx7NCEcpYuAy8GxwHjnbaqaCLbIs27TnYWaWe1xcOjZQGlC3JnA6kJmSSCg'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, I3Th8Mh3i2t6BO8.csBase64 encoded string: 'ooPbg3qvntthc1Q2MOaYfqnYeCorl1rGWJAqDjvVK7DZlR1HF8qVL2TtZT2FehNaORfpdfWI4xIKVGOW', 'h9zhxh8trJDojSxz4ITn1YDS9EBVcSKfoSMLUNeofbxf7OXBUGFWirolxmtB1QmR3yLjIYz1Jbf70ld4'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, sjmftLizVeKZw8R.csBase64 encoded string: 'WEghI6uy2hFG1KHMgJsxoeGDRWzqEtXs8BJ5FHd0UUsFI9xL92oq63FtNLGtTw2sloDAYe86xqB7xWXt', 'goU85lIv4pENuscgMlWnuHS2oToHNclhUeiw1bQyy3BRHZkddyFpORvr5PP0EKuQsTlLKXC1p4cENgGr', 'u157DBp3iqR0B6XEZqjM42CgiUFW8T92NU4BAOhwquDkhRdMBsSRYe3q0ySCXVY41HLaPayoYhYbajoK', 'tqQq3wWS7UeKjGfGpnRdlcBpI3wfpTJh73RVES4EmHVEHFQqzNTy1f0bMk0mVTx3pbPLNFw9u1ReOW6w', 'wd7w6tcGfInQeyX9f5URfqDdOrpwKnz6mRWILeMPyLBeJlKht2NlbHY6bA2j3aQjHclStR97zJuKSzyW', 'WnJk9xds6ydUfk9kYx3UmjnpPwVHYl0N9PXCifxGEbl0JaGMHSZSp3USKAX4jTQmffZNsCf0CrWmb6Ky', 'TmqrLHLStmuvVyBREn23NU36bUw6coOO3DKqyX6KEdnaLxzj6jKamhdm7B70VDI9NjKBrsaWPPmgLZvj', 'r9l0Gd958lkcLlCpgsAQlzFEmniYPhTO9bAv8mPCy3aD0FXmzLOzgVPhxOxNlDMaZZm6PYGEiZu477I4', 'rKRJC6Ohqhl8eju1hY25TerPmTIDZYfFw6VVcVUxBoOiru5yZrQMI81x3KvuCWSi2DDDhoPT8arLkRev', 'peqHxWF4qkAxGfZzCiLc9DOMMepLszbIlaZAZK7bPIgpg9Pfq1I5ZkjGHNcjNkeRrGlnSK15S8MtEmpm', 'oz2CHMvGGyPS5AfvXkUNKRWY70JRmDKBsB3OodHfbmgG6aj0wJlG0vaIV3O2joyTwzaUbAoxX83agaMp'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.csBase64 encoded string: 'ViJekX5myKyv49Z0rre4JgYbfabIkBmeQsIX0Lgd7HE2xxZQzMKkuFIVWP7D4qRmvir9dxSWtJ8IIX4p', 'zwD8WMc2WdKuVghVOFcg7UFSnswD7Nb6XXBVIff0WZuHnwmBYVmREHZXo5SGWC8nHVlwKx25WsDMTJIP', 'XF17ykcQAwVhqNmkqgqloozK6dJVhA90CNaNs8R49dbRb3NO4juUdeYTuDRBTWfQ3ozUVm3AbXwfDdcy', 'KEY4Vx29ifLGrOd4mzqFUgQFQWGAhK4tJZ9qfes3PNXMWLL68pOcGjPP4JpNgBjkACfl3KRqrxXT14T2'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, cwqxDxQiWlgCHGb.csBase64 encoded string: 'ZVH0I3tjoa1EqoTOQwyS3s1Pr9kdpODAaYH2Y5UxLB6MgijTZzCxyRsE2F9ORt54HNUvt9qBdMvEHPpQ', 'SpRLbf9VI6TjUykFmo9x1LpfSeva0PzcIz6eomkLPGMVXzc0Ys7qZ1xYjsMJ47OlUDbRMfpp0IQyW1op', 'V4p81Jz72fONymG0ufV4eOafKCddIidlLZKD6eLGhay9oToKxM1nGWxqdBthCGD9SIUaudEivy7m2J4c', 'GEAL1LI9RSVoLCL39R7H5RJxMKUVhXpSi99d1h28Vi8H9xeKkhts6HrLYmjPGLrbvMHSFvc5Fx3DCPLz', 'Lm0SPRS8nECsoK8zCJpxprvXwYnvtnTLTOZZ70Iu34zz9Zmq7Em9DmcSg8EAF2Odi4syFegf8Is0oJCm', 'S60u4i1SJ9h68Vmptzs1AIRSzItwQ7HIzAHWCERgOo87v8qDBPS3HAIK7ZbeNOPgb3HqUZZ9rD20GW54', 'W3O1L1iqrk8KhZ87RWoTqXVc4W2M2ObxSpXv7drMTpcKr8xwZ9PijAVxca3bYrp1HKtFzoxdfMzH5b25', 'ImqIeQfEfEMyLQcQIs3NOYe2TQLeusfAvxL7vfxIR0F5kavKW2smnIBHqOS4MchBmFKIgVBZcVcdPKTu', 'sPnkd3CF4h2wf0vADBLdSubVdskF9QK6YYDT7pAvmXhfvf3m4ZcKqKu5VrhTxjvcX9sYvAr6AE4I1MmI', 'Pwnz8L4g7Q1hkgJ1G6Y8tzeoRggKLIFcFm8I5Wb1IduXdvHK9QtF8xbpCI4JVuw7a4FkJGZ1kyja7INW', 'zTcoLtiDQUKEfbbQ9DMQA6t1vjQdNhiy2nhLIOymrl7HawDadJNdPVKyvmuuO9qUtf0MDMzx97Dfow7n', 'HssZBJNobvSzJLj2MqIbojCesksghFPp8FVlg2cMG3b1bECZar1xmRuNzJuazdBvqej1rtWFG6T65I7o', 'KMSLjKVtooNric6EzwGzjkjqc3f1ud45t8aBvjKmQ8lKIYTjir3D58mY5HBoiXzwzDx746dzREdaMrWl'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, 85IhxSGtOfNN64Z.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, 85IhxSGtOfNN64Z.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: Windows defender.exe.0.dr, 85IhxSGtOfNN64Z.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: Windows defender.exe.0.dr, 85IhxSGtOfNN64Z.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: Windows Defender.exe, 85IhxSGtOfNN64Z.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: Windows Defender.exe, 85IhxSGtOfNN64Z.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@15/21@2/2
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile created: C:\Users\user\AppData\Roaming\Windows defender.exeJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeMutant created: \Sessions\1\BaseNamedObjects\Vi0dGCBzRjwIFWiY
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                      Source: Windows Defender.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Windows Defender.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Windows Defender.exeReversingLabs: Detection: 73%
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile read: C:\Users\user\Desktop\Windows Defender.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Windows Defender.exe "C:\Users\user\Desktop\Windows Defender.exe"
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows defender.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows defender.exe "C:\Users\user\AppData\Roaming\Windows defender.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Windows defender.exe "C:\Users\user\AppData\Roaming\Windows defender.exe"
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Desktop\Windows Defender.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: Windows defender.lnk.0.drLNK file: ..\..\..\..\..\Windows defender.exe
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Windows Defender.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Windows Defender.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IiG77VCIYIyAinp.SAF5KmKklxldXEs,IiG77VCIYIyAinp.LotdAze8Ef6WJIY,IiG77VCIYIyAinp.Kx9554HmAGalplp,IiG77VCIYIyAinp.wqwaheO8RVJ9q8D,sjmftLizVeKZw8R.oZBtFDCxkh7P706()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UyHzfp1JBRCQZN0[2],sjmftLizVeKZw8R.LmgXrb8KxfqOZHi(Convert.FromBase64String(UyHzfp1JBRCQZN0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IiG77VCIYIyAinp.SAF5KmKklxldXEs,IiG77VCIYIyAinp.LotdAze8Ef6WJIY,IiG77VCIYIyAinp.Kx9554HmAGalplp,IiG77VCIYIyAinp.wqwaheO8RVJ9q8D,sjmftLizVeKZw8R.oZBtFDCxkh7P706()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UyHzfp1JBRCQZN0[2],sjmftLizVeKZw8R.LmgXrb8KxfqOZHi(Convert.FromBase64String(UyHzfp1JBRCQZN0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{IiG77VCIYIyAinp.SAF5KmKklxldXEs,IiG77VCIYIyAinp.LotdAze8Ef6WJIY,IiG77VCIYIyAinp.Kx9554HmAGalplp,IiG77VCIYIyAinp.wqwaheO8RVJ9q8D,sjmftLizVeKZw8R.oZBtFDCxkh7P706()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UyHzfp1JBRCQZN0[2],sjmftLizVeKZw8R.LmgXrb8KxfqOZHi(Convert.FromBase64String(UyHzfp1JBRCQZN0[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      .NET source code contains potential unpacker
                      Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs.Net Code: _6l4VVkKWlLft6pE System.AppDomain.Load(byte[])
                      Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs.Net Code: _2yleSFZfrEaaNXy System.AppDomain.Load(byte[])
                      Source: Windows Defender.exe, hkW0iHAt1n34uyi.cs.Net Code: _2yleSFZfrEaaNXy
                      Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs.Net Code: _6l4VVkKWlLft6pE System.AppDomain.Load(byte[])
                      Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs.Net Code: _2yleSFZfrEaaNXy System.AppDomain.Load(byte[])
                      Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.cs.Net Code: _2yleSFZfrEaaNXy
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: _6l4VVkKWlLft6pE System.AppDomain.Load(byte[])
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: _2yleSFZfrEaaNXy System.AppDomain.Load(byte[])
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.cs.Net Code: _2yleSFZfrEaaNXy
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B78D2A5 pushad ; iretd 1_2_00007FFD9B78D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8A0972 push E95A82D0h; ret 1_2_00007FFD9B8A09C9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8A1074 push E85B8B0Dh; ret 1_2_00007FFD9B8A10F9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B972316 push 8B485F92h; iretd 1_2_00007FFD9B97231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B78D2A5 pushad ; iretd 4_2_00007FFD9B78D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B972316 push 8B485F92h; iretd 4_2_00007FFD9B97231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B79D2A5 pushad ; iretd 7_2_00007FFD9B79D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B982316 push 8B485F91h; iretd 7_2_00007FFD9B98231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77D2A5 pushad ; iretd 11_2_00007FFD9B77D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B962316 push 8B485F93h; iretd 11_2_00007FFD9B96231B
                      Source: Windows Defender.exe, 4HsJjuIP2UkRI9R.csHigh entropy of concatenated method names: 'jfw6pgiyRlXjLvW', '_73kiPYRZTt9iH8K', 'LuMB2o4Uhl3slYm', '_5iGvflySuJ2XB7mOoMsErBneGDDGoTVQxB7zXHDoI1b0LC9IeT7lXims44Ai1VS7R', 'qsUJnoNFDmuJGsQgdplxKlxv63v6KavmbVtF0JwKJQAA07HzBLj1iDe8rhkxBPZOs', 'YeW5xHeQumgoAkjFU2J9qnRqbGllYzYTu1JWTlFx65nbNgN6kfL4Tj3g8N066pGVH', 'C9g9BCZonES8wz7DXkLz8oNb9f926DDafJELUyu01BVE34DuE34v1X1ttiQoMK0Fl', '_6GrR4BNPHoCS3xvSYAnwhYYm8IFBAqwW3S7L67cWPC8A5B5CuHuaIboPDwjsyuUX7', 'rjcbd1yYzzaaY8lGu3cfV6xgZbMypogrooTZ5z7t3LIHv5eZFM7fWXHCLBBb8vEkG', 'AwF5JHjCl5FhRMAkYMRBiy5ekbqTyLdWmHkLQp1gM6RrCm8sIApYyfqhmokialfEU'
                      Source: Windows Defender.exe, IiG77VCIYIyAinp.csHigh entropy of concatenated method names: 'On7tk7CL4ICqwtJ17iyjvmroiyw8WZlr4MB4LP0nA8dx3ySI', 'V7eUuu0Dc75KTOrci9ReUfHmMHpjn3wFJJRKZH6QBZt45qfA', '_7V3NAsTVvEpV1KghbpMBUBfXxJ0gqd14EW7QgC5jRRCOicxa', 'H3wsgnzQp18ON9bs9wjvVyXbX9kSmtp8LrrlKFAIKltFLuZt'
                      Source: Windows Defender.exe, GzYlpNyzaslb0P5ovfphEnusQWYGKo.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EJzGa7Ric7poYCgb41mvt5ldgjt51zq0BhFA1Xjj4wvS8InZ', 'GQ7tE9xs7bgguiu4ayikFAYQW0uh1MtAiHNsSkYdUqkdsLPI', 'omqgjj5ThJ8sFg3yxDaEwabnJhSmuqwI4e38fCjJrhdNKM5V', 'fsP5Xf2jdvqOWEV11Et9IH91ihdTx8o2dGfo9jMlkXZcQBQX'
                      Source: Windows Defender.exe, yfcXnm8Ph88Q7SS.csHigh entropy of concatenated method names: 'YxIUiUb1239uDz3', 'gMqKkY39oBJdPEc', 'wDmblHZzi5ufWIx', 'fIi1pkQemOV1VOg', 'LP2QKJGgCnpmSZ9', 'LIjuTg9mGO9GE6i', 'HzUFxULiarW50EW', '_80kl1VPnKSNLHn1', 'Dm2owszwUpyoSfa', 'hfZTr2VHFCTKyZz'
                      Source: Windows Defender.exe, DNAvWoxlxYdwRmJ.csHigh entropy of concatenated method names: 'YIMRtj1s9oNdU0N', '_5520HD1l8I2XRvvtXor9rfriehZm8XltHQUn20fvMgMr2pscG6OXUObl62pMLvYKdozsLDDyfkrTUzmW', 'kiAxGyXDIwuNBtK5wSL03PDYcLGzFoSqgROWN7GzW8uxRe1zCAcaKSVXJCHkWSmyAx9dKZPxZnbkoans', 'UBEhOpEhEJVw0VvqFMFmXP0eFyLMjTEZiaEqtdOUt1LVVYwizDfaeR1OegbFNjEvIFl2IUDB5TiCzhtw', 'Q3EP9OA0Z2GirNFLWCgus087plBS9P1WIaB5fpMmWaE5VJSj6kbZXEy1T1A2SkZr06zNXvZHj8S5hGZy'
                      Source: Windows Defender.exe, 85IhxSGtOfNN64Z.csHigh entropy of concatenated method names: 'yWre6hYlj3lAFIe', 'w53lih6zzuxhdoo', 'ztKj3tzVIquKCWN', 'iAZZ3meOOCoWCuv', 'AG6EflH4htfZrjb', 'di3uQfxFg5FUgGd', 'SUaVC5nJy749fR2', 'Ml9Lz9F6G4XkEEc', 'gxrqTZHTbl6sS38', 'EoQBMeo9SVrfYpN'
                      Source: Windows Defender.exe, k9ZEaIQ7WE7abcI.csHigh entropy of concatenated method names: 'SYKN04mGwOtKVri', 'RXvOTn7ZPneJ4ZmOWPMXI2mHhemT0Op6a4Wr1k71y4plI4drhye04rKq9kMGh3xstgorqutmVwu8tcdV', '_9wlF4qXH0wGWgIlS9v9hUETRfiDCq4jhZJgaODbm9EYAkznyRHytEMnJ4sCOFGcXoQJWorb0sK3GUFG9', 'kSb5yxplkRlmGSPlEOM22U9HEoVFXc5txExM3cE5l909fwyxWVquMoNW09PCg57MSbhzrIynoB6jPMdf', '_82BSeVPHTKcOIrF2B5Rgi85jyt297gdkbsm9gtzjOjptS0tyVVEGOljUszwSogP0eu0zgr2L7yYMZezB'
                      Source: Windows Defender.exe, I3Th8Mh3i2t6BO8.csHigh entropy of concatenated method names: 'ycTB3QchYaPi6ld', 'deWxASI79woyq9X', '_0n7KpTltKIHYr4T', 'cnoumh2fnWdtSFr', 'pPbZfiyGiLZG83y0NXDujtd2OM9WsXrz7NxMSTjqhuuqXe5XIiwVCIBWN2VwcjY0oBNfeFPxal0iaAv6', 'lUNdOxJmo5suVRX8JZ85chk8dM8838T0TptE9RG0agy0GZKB25UGwHyyGXQzzotyY8KLjqrlJW1NAgA4', '_4vaG21eQNCBulv8UEgvZCAGl3LLf0chsyWtLb0RTqD5A7FuuJ1qSC6ANZnjGgbj59DVznlAqMwOu0LBo', 'Oy6IC0Gx3rsmgu9XRxA3eALAbWTpa6qGsJVPVVuv2so4quJbzZpYJpfbZZgBRr0MRDQQcTswHO6B3PEB', 'GmuG9UvlyARiNeQmXPqoYPMWFFeN1J2qPCDGaWZFGxmfPxArgsFTyoZrkl68opIm9IqICHdpruCNVwyD', 'EY72UclcflxCpseqbhJFb2aRgAGvqfAxZFhVmgMBW6u46L1oNPeisTXrv4zGXLoMmlDtzGeHk2ylsHpd'
                      Source: Windows Defender.exe, sjmftLizVeKZw8R.csHigh entropy of concatenated method names: 'fC2Hv3iN2A8bbkN', 'LDG4MG013gN6bXu', 'e5Y4CqvEcAEoHx6', 'WxHBkeBtQLLel5W', 'LclPVtD49F1s3Ze', 'HQae3xAr1kaUxi8', '_4JhsqusRTKSKtTK', 'KBnf1CAHIhlDR6u', 'TQKV9rsqz5qXI2U', 'eztSPsRMjtnDHAH'
                      Source: Windows Defender.exe, hkW0iHAt1n34uyi.csHigh entropy of concatenated method names: 'ZA1wSX8Y9rkyTOK', '_6l4VVkKWlLft6pE', 'mPqymSheHPUODwD', 'L2l2tsx1mGtScNH', 'GgWLdnBgKUFVsKe', 'mAzEPTGccxcwXrt', 'Ngd0V2uENuoJV7Y', '_1avyPG6avJrhMmb', 'YwYLCnL16L0IAiE', 'DfKhJS0b7F4dMa0'
                      Source: Windows Defender.exe, cwqxDxQiWlgCHGb.csHigh entropy of concatenated method names: 'NKOK6UgjJmOa6Im', 'igBJYGsMPitE6DG', 'jVpPD8sTfj9Nd10', 'G3EE5RtitA8krxl', 'Iz350rgzj3tqXNt', '_2LohON0bxHVhFNj', 'ufnMJe4vzMbpR6d', 'ifAbAoEYZVj5dHE', 'cIT6pad9Nfm5BIM', 'tkvQFISXvFMdFiN'
                      Source: Windows defender.exe.0.dr, 4HsJjuIP2UkRI9R.csHigh entropy of concatenated method names: 'jfw6pgiyRlXjLvW', '_73kiPYRZTt9iH8K', 'LuMB2o4Uhl3slYm', '_5iGvflySuJ2XB7mOoMsErBneGDDGoTVQxB7zXHDoI1b0LC9IeT7lXims44Ai1VS7R', 'qsUJnoNFDmuJGsQgdplxKlxv63v6KavmbVtF0JwKJQAA07HzBLj1iDe8rhkxBPZOs', 'YeW5xHeQumgoAkjFU2J9qnRqbGllYzYTu1JWTlFx65nbNgN6kfL4Tj3g8N066pGVH', 'C9g9BCZonES8wz7DXkLz8oNb9f926DDafJELUyu01BVE34DuE34v1X1ttiQoMK0Fl', '_6GrR4BNPHoCS3xvSYAnwhYYm8IFBAqwW3S7L67cWPC8A5B5CuHuaIboPDwjsyuUX7', 'rjcbd1yYzzaaY8lGu3cfV6xgZbMypogrooTZ5z7t3LIHv5eZFM7fWXHCLBBb8vEkG', 'AwF5JHjCl5FhRMAkYMRBiy5ekbqTyLdWmHkLQp1gM6RrCm8sIApYyfqhmokialfEU'
                      Source: Windows defender.exe.0.dr, IiG77VCIYIyAinp.csHigh entropy of concatenated method names: 'On7tk7CL4ICqwtJ17iyjvmroiyw8WZlr4MB4LP0nA8dx3ySI', 'V7eUuu0Dc75KTOrci9ReUfHmMHpjn3wFJJRKZH6QBZt45qfA', '_7V3NAsTVvEpV1KghbpMBUBfXxJ0gqd14EW7QgC5jRRCOicxa', 'H3wsgnzQp18ON9bs9wjvVyXbX9kSmtp8LrrlKFAIKltFLuZt'
                      Source: Windows defender.exe.0.dr, GzYlpNyzaslb0P5ovfphEnusQWYGKo.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EJzGa7Ric7poYCgb41mvt5ldgjt51zq0BhFA1Xjj4wvS8InZ', 'GQ7tE9xs7bgguiu4ayikFAYQW0uh1MtAiHNsSkYdUqkdsLPI', 'omqgjj5ThJ8sFg3yxDaEwabnJhSmuqwI4e38fCjJrhdNKM5V', 'fsP5Xf2jdvqOWEV11Et9IH91ihdTx8o2dGfo9jMlkXZcQBQX'
                      Source: Windows defender.exe.0.dr, yfcXnm8Ph88Q7SS.csHigh entropy of concatenated method names: 'YxIUiUb1239uDz3', 'gMqKkY39oBJdPEc', 'wDmblHZzi5ufWIx', 'fIi1pkQemOV1VOg', 'LP2QKJGgCnpmSZ9', 'LIjuTg9mGO9GE6i', 'HzUFxULiarW50EW', '_80kl1VPnKSNLHn1', 'Dm2owszwUpyoSfa', 'hfZTr2VHFCTKyZz'
                      Source: Windows defender.exe.0.dr, DNAvWoxlxYdwRmJ.csHigh entropy of concatenated method names: 'YIMRtj1s9oNdU0N', '_5520HD1l8I2XRvvtXor9rfriehZm8XltHQUn20fvMgMr2pscG6OXUObl62pMLvYKdozsLDDyfkrTUzmW', 'kiAxGyXDIwuNBtK5wSL03PDYcLGzFoSqgROWN7GzW8uxRe1zCAcaKSVXJCHkWSmyAx9dKZPxZnbkoans', 'UBEhOpEhEJVw0VvqFMFmXP0eFyLMjTEZiaEqtdOUt1LVVYwizDfaeR1OegbFNjEvIFl2IUDB5TiCzhtw', 'Q3EP9OA0Z2GirNFLWCgus087plBS9P1WIaB5fpMmWaE5VJSj6kbZXEy1T1A2SkZr06zNXvZHj8S5hGZy'
                      Source: Windows defender.exe.0.dr, 85IhxSGtOfNN64Z.csHigh entropy of concatenated method names: 'yWre6hYlj3lAFIe', 'w53lih6zzuxhdoo', 'ztKj3tzVIquKCWN', 'iAZZ3meOOCoWCuv', 'AG6EflH4htfZrjb', 'di3uQfxFg5FUgGd', 'SUaVC5nJy749fR2', 'Ml9Lz9F6G4XkEEc', 'gxrqTZHTbl6sS38', 'EoQBMeo9SVrfYpN'
                      Source: Windows defender.exe.0.dr, k9ZEaIQ7WE7abcI.csHigh entropy of concatenated method names: 'SYKN04mGwOtKVri', 'RXvOTn7ZPneJ4ZmOWPMXI2mHhemT0Op6a4Wr1k71y4plI4drhye04rKq9kMGh3xstgorqutmVwu8tcdV', '_9wlF4qXH0wGWgIlS9v9hUETRfiDCq4jhZJgaODbm9EYAkznyRHytEMnJ4sCOFGcXoQJWorb0sK3GUFG9', 'kSb5yxplkRlmGSPlEOM22U9HEoVFXc5txExM3cE5l909fwyxWVquMoNW09PCg57MSbhzrIynoB6jPMdf', '_82BSeVPHTKcOIrF2B5Rgi85jyt297gdkbsm9gtzjOjptS0tyVVEGOljUszwSogP0eu0zgr2L7yYMZezB'
                      Source: Windows defender.exe.0.dr, I3Th8Mh3i2t6BO8.csHigh entropy of concatenated method names: 'ycTB3QchYaPi6ld', 'deWxASI79woyq9X', '_0n7KpTltKIHYr4T', 'cnoumh2fnWdtSFr', 'pPbZfiyGiLZG83y0NXDujtd2OM9WsXrz7NxMSTjqhuuqXe5XIiwVCIBWN2VwcjY0oBNfeFPxal0iaAv6', 'lUNdOxJmo5suVRX8JZ85chk8dM8838T0TptE9RG0agy0GZKB25UGwHyyGXQzzotyY8KLjqrlJW1NAgA4', '_4vaG21eQNCBulv8UEgvZCAGl3LLf0chsyWtLb0RTqD5A7FuuJ1qSC6ANZnjGgbj59DVznlAqMwOu0LBo', 'Oy6IC0Gx3rsmgu9XRxA3eALAbWTpa6qGsJVPVVuv2so4quJbzZpYJpfbZZgBRr0MRDQQcTswHO6B3PEB', 'GmuG9UvlyARiNeQmXPqoYPMWFFeN1J2qPCDGaWZFGxmfPxArgsFTyoZrkl68opIm9IqICHdpruCNVwyD', 'EY72UclcflxCpseqbhJFb2aRgAGvqfAxZFhVmgMBW6u46L1oNPeisTXrv4zGXLoMmlDtzGeHk2ylsHpd'
                      Source: Windows defender.exe.0.dr, sjmftLizVeKZw8R.csHigh entropy of concatenated method names: 'fC2Hv3iN2A8bbkN', 'LDG4MG013gN6bXu', 'e5Y4CqvEcAEoHx6', 'WxHBkeBtQLLel5W', 'LclPVtD49F1s3Ze', 'HQae3xAr1kaUxi8', '_4JhsqusRTKSKtTK', 'KBnf1CAHIhlDR6u', 'TQKV9rsqz5qXI2U', 'eztSPsRMjtnDHAH'
                      Source: Windows defender.exe.0.dr, hkW0iHAt1n34uyi.csHigh entropy of concatenated method names: 'ZA1wSX8Y9rkyTOK', '_6l4VVkKWlLft6pE', 'mPqymSheHPUODwD', 'L2l2tsx1mGtScNH', 'GgWLdnBgKUFVsKe', 'mAzEPTGccxcwXrt', 'Ngd0V2uENuoJV7Y', '_1avyPG6avJrhMmb', 'YwYLCnL16L0IAiE', 'DfKhJS0b7F4dMa0'
                      Source: Windows defender.exe.0.dr, cwqxDxQiWlgCHGb.csHigh entropy of concatenated method names: 'NKOK6UgjJmOa6Im', 'igBJYGsMPitE6DG', 'jVpPD8sTfj9Nd10', 'G3EE5RtitA8krxl', 'Iz350rgzj3tqXNt', '_2LohON0bxHVhFNj', 'ufnMJe4vzMbpR6d', 'ifAbAoEYZVj5dHE', 'cIT6pad9Nfm5BIM', 'tkvQFISXvFMdFiN'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, 4HsJjuIP2UkRI9R.csHigh entropy of concatenated method names: 'jfw6pgiyRlXjLvW', '_73kiPYRZTt9iH8K', 'LuMB2o4Uhl3slYm', '_5iGvflySuJ2XB7mOoMsErBneGDDGoTVQxB7zXHDoI1b0LC9IeT7lXims44Ai1VS7R', 'qsUJnoNFDmuJGsQgdplxKlxv63v6KavmbVtF0JwKJQAA07HzBLj1iDe8rhkxBPZOs', 'YeW5xHeQumgoAkjFU2J9qnRqbGllYzYTu1JWTlFx65nbNgN6kfL4Tj3g8N066pGVH', 'C9g9BCZonES8wz7DXkLz8oNb9f926DDafJELUyu01BVE34DuE34v1X1ttiQoMK0Fl', '_6GrR4BNPHoCS3xvSYAnwhYYm8IFBAqwW3S7L67cWPC8A5B5CuHuaIboPDwjsyuUX7', 'rjcbd1yYzzaaY8lGu3cfV6xgZbMypogrooTZ5z7t3LIHv5eZFM7fWXHCLBBb8vEkG', 'AwF5JHjCl5FhRMAkYMRBiy5ekbqTyLdWmHkLQp1gM6RrCm8sIApYyfqhmokialfEU'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, IiG77VCIYIyAinp.csHigh entropy of concatenated method names: 'On7tk7CL4ICqwtJ17iyjvmroiyw8WZlr4MB4LP0nA8dx3ySI', 'V7eUuu0Dc75KTOrci9ReUfHmMHpjn3wFJJRKZH6QBZt45qfA', '_7V3NAsTVvEpV1KghbpMBUBfXxJ0gqd14EW7QgC5jRRCOicxa', 'H3wsgnzQp18ON9bs9wjvVyXbX9kSmtp8LrrlKFAIKltFLuZt'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, GzYlpNyzaslb0P5ovfphEnusQWYGKo.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'EJzGa7Ric7poYCgb41mvt5ldgjt51zq0BhFA1Xjj4wvS8InZ', 'GQ7tE9xs7bgguiu4ayikFAYQW0uh1MtAiHNsSkYdUqkdsLPI', 'omqgjj5ThJ8sFg3yxDaEwabnJhSmuqwI4e38fCjJrhdNKM5V', 'fsP5Xf2jdvqOWEV11Et9IH91ihdTx8o2dGfo9jMlkXZcQBQX'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, yfcXnm8Ph88Q7SS.csHigh entropy of concatenated method names: 'YxIUiUb1239uDz3', 'gMqKkY39oBJdPEc', 'wDmblHZzi5ufWIx', 'fIi1pkQemOV1VOg', 'LP2QKJGgCnpmSZ9', 'LIjuTg9mGO9GE6i', 'HzUFxULiarW50EW', '_80kl1VPnKSNLHn1', 'Dm2owszwUpyoSfa', 'hfZTr2VHFCTKyZz'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, DNAvWoxlxYdwRmJ.csHigh entropy of concatenated method names: 'YIMRtj1s9oNdU0N', '_5520HD1l8I2XRvvtXor9rfriehZm8XltHQUn20fvMgMr2pscG6OXUObl62pMLvYKdozsLDDyfkrTUzmW', 'kiAxGyXDIwuNBtK5wSL03PDYcLGzFoSqgROWN7GzW8uxRe1zCAcaKSVXJCHkWSmyAx9dKZPxZnbkoans', 'UBEhOpEhEJVw0VvqFMFmXP0eFyLMjTEZiaEqtdOUt1LVVYwizDfaeR1OegbFNjEvIFl2IUDB5TiCzhtw', 'Q3EP9OA0Z2GirNFLWCgus087plBS9P1WIaB5fpMmWaE5VJSj6kbZXEy1T1A2SkZr06zNXvZHj8S5hGZy'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, 85IhxSGtOfNN64Z.csHigh entropy of concatenated method names: 'yWre6hYlj3lAFIe', 'w53lih6zzuxhdoo', 'ztKj3tzVIquKCWN', 'iAZZ3meOOCoWCuv', 'AG6EflH4htfZrjb', 'di3uQfxFg5FUgGd', 'SUaVC5nJy749fR2', 'Ml9Lz9F6G4XkEEc', 'gxrqTZHTbl6sS38', 'EoQBMeo9SVrfYpN'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, k9ZEaIQ7WE7abcI.csHigh entropy of concatenated method names: 'SYKN04mGwOtKVri', 'RXvOTn7ZPneJ4ZmOWPMXI2mHhemT0Op6a4Wr1k71y4plI4drhye04rKq9kMGh3xstgorqutmVwu8tcdV', '_9wlF4qXH0wGWgIlS9v9hUETRfiDCq4jhZJgaODbm9EYAkznyRHytEMnJ4sCOFGcXoQJWorb0sK3GUFG9', 'kSb5yxplkRlmGSPlEOM22U9HEoVFXc5txExM3cE5l909fwyxWVquMoNW09PCg57MSbhzrIynoB6jPMdf', '_82BSeVPHTKcOIrF2B5Rgi85jyt297gdkbsm9gtzjOjptS0tyVVEGOljUszwSogP0eu0zgr2L7yYMZezB'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, I3Th8Mh3i2t6BO8.csHigh entropy of concatenated method names: 'ycTB3QchYaPi6ld', 'deWxASI79woyq9X', '_0n7KpTltKIHYr4T', 'cnoumh2fnWdtSFr', 'pPbZfiyGiLZG83y0NXDujtd2OM9WsXrz7NxMSTjqhuuqXe5XIiwVCIBWN2VwcjY0oBNfeFPxal0iaAv6', 'lUNdOxJmo5suVRX8JZ85chk8dM8838T0TptE9RG0agy0GZKB25UGwHyyGXQzzotyY8KLjqrlJW1NAgA4', '_4vaG21eQNCBulv8UEgvZCAGl3LLf0chsyWtLb0RTqD5A7FuuJ1qSC6ANZnjGgbj59DVznlAqMwOu0LBo', 'Oy6IC0Gx3rsmgu9XRxA3eALAbWTpa6qGsJVPVVuv2so4quJbzZpYJpfbZZgBRr0MRDQQcTswHO6B3PEB', 'GmuG9UvlyARiNeQmXPqoYPMWFFeN1J2qPCDGaWZFGxmfPxArgsFTyoZrkl68opIm9IqICHdpruCNVwyD', 'EY72UclcflxCpseqbhJFb2aRgAGvqfAxZFhVmgMBW6u46L1oNPeisTXrv4zGXLoMmlDtzGeHk2ylsHpd'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, sjmftLizVeKZw8R.csHigh entropy of concatenated method names: 'fC2Hv3iN2A8bbkN', 'LDG4MG013gN6bXu', 'e5Y4CqvEcAEoHx6', 'WxHBkeBtQLLel5W', 'LclPVtD49F1s3Ze', 'HQae3xAr1kaUxi8', '_4JhsqusRTKSKtTK', 'KBnf1CAHIhlDR6u', 'TQKV9rsqz5qXI2U', 'eztSPsRMjtnDHAH'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, hkW0iHAt1n34uyi.csHigh entropy of concatenated method names: 'ZA1wSX8Y9rkyTOK', '_6l4VVkKWlLft6pE', 'mPqymSheHPUODwD', 'L2l2tsx1mGtScNH', 'GgWLdnBgKUFVsKe', 'mAzEPTGccxcwXrt', 'Ngd0V2uENuoJV7Y', '_1avyPG6avJrhMmb', 'YwYLCnL16L0IAiE', 'DfKhJS0b7F4dMa0'
                      Source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, cwqxDxQiWlgCHGb.csHigh entropy of concatenated method names: 'NKOK6UgjJmOa6Im', 'igBJYGsMPitE6DG', 'jVpPD8sTfj9Nd10', 'G3EE5RtitA8krxl', 'Iz350rgzj3tqXNt', '_2LohON0bxHVhFNj', 'ufnMJe4vzMbpR6d', 'ifAbAoEYZVj5dHE', 'cIT6pad9Nfm5BIM', 'tkvQFISXvFMdFiN'
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile created: C:\Users\user\AppData\Roaming\Windows defender.exeJump to dropped file
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows defender.lnkJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows defender.lnkJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows defenderJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows defenderJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: Windows Defender.exe, 00000000.00000002.2938486382.0000000002981000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Windows Defender.exe, Windows defender.exe.0.drBinary or memory string: SBIEDLL.DLLASSBC68E0MEKPEVR4DCWZ2QYFOLPF9HXYGFFRWC6JFPPHY7QHASTUWIU0M2HUWJOFFN62RZJLF4OPSJSN2JVIV7DCXK1HHOUAWAPLZC2HUHO9OUDJYBBIID5WMYEQSOIT5FGZODAHXWX7TS22XFA6F7CQMYRVHDGON7XHUXBTVMB5OQ8SEHPYA5F1L9R1KDGX1H3APQOKXHEQUB2UQJBOWDNEM3V1ZCG0HYZWOUOUGQ4OSRNRY4T5ANUNOTOHVIMVRKLU4B14PUDOWL6SXKUVEOI33A1EHABCQQZCRA8PQMNCOEW7QMMT9OGFVWICUY9U5MKOQDNF4F0WI3R1WUHIWOAX3AGLL9SIWGVQQZSTYNDJBKFAQGCEPOUNPCAQIRZHUNRPUIKAFIBJPFZSMINKFA9FNC0W9L0CIPAIZR4UDR3PY7U2OYKFANVKA4AI25VQYVC9LTPWNJHKLUCICHGEDANAVMOBF1IPNSKPUB86GARB59HI5VVHTTQVYDRDW1JZOWNBZIB8JCDPHZSUBZHAVTORVDAC7POF10AKNEWW7FKGKHXWNZZAGHJIF00NPSI9KYKOTYSZOORAPLXSKRC9HKZJSZODJMOY6TYQ6ODNJVASSCQIU7IZOZF0R0XAAO7YBTDMT4Z0YDGF9LM2MYLTTFX7XC5MCCURYT1OVSXMGZ2P8INFO
                      Source: C:\Users\user\Desktop\Windows Defender.exeMemory allocated: BD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeMemory allocated: 1A980000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeMemory allocated: 8E0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeMemory allocated: 1A300000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeMemory allocated: 1390000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeMemory allocated: 1B070000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\Windows Defender.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Windows Defender.exeWindow / User API: threadDelayed 3856Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeWindow / User API: threadDelayed 5982Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5580Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4225Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6974Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2817Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7393Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2162Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7563
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2061
                      Source: C:\Users\user\Desktop\Windows Defender.exe TID: 1244Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2124Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2188Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7120Thread sleep count: 7393 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3260Thread sleep count: 2162 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5440Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3684Thread sleep count: 7563 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1908Thread sleep count: 2061 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5952Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exe TID: 2008Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exe TID: 1848Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\Windows Defender.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\catroot2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\AppxSip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SYSTEM32\OpcServices.DLL
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\System32\wshext.dll
                      Source: Windows defender.exe.0.drBinary or memory string: vmware
                      Source: Windows Defender.exe, 00000000.00000002.2971854237.000000001B795000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 0_2_00007FFD9B8B73F0 CheckRemoteDebuggerPresent,0_2_00007FFD9B8B73F0
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Windows Defender.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeQueries volume information: C:\Users\user\Desktop\Windows Defender.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows defender.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Windows defender.exeQueries volume information: C:\Users\user\AppData\Roaming\Windows defender.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Windows Defender.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Windows Defender.exe, 00000000.00000002.2932483269.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, Windows Defender.exe, 00000000.00000002.2971854237.000000001B865000.00000004.00000020.00020000.00000000.sdmp, Windows Defender.exe, 00000000.00000002.2971854237.000000001B795000.00000004.00000020.00020000.00000000.sdmp, Windows Defender.exe, 00000000.00000002.2971854237.000000001B7E1000.00000004.00000020.00020000.00000000.sdmp, Windows Defender.exe, 00000000.00000002.2932483269.0000000000BFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: Windows Defender.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Windows Defender.exe.12991a78.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.Windows Defender.exe.670000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2938486382.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Windows Defender.exe PID: 6848, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows defender.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: Windows Defender.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.Windows Defender.exe.12991a78.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Windows Defender.exe.12991a78.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.Windows Defender.exe.670000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2938486382.0000000002981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Windows Defender.exe PID: 6848, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Windows defender.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Windows Management Instrumentation                      		21
                      Registry Run Keys / Startup Folder                      		11
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping541
                      Security Software Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      PowerShell                      		1
                      DLL Side-Loading                      		21
                      Registry Run Keys / Startup Folder                      		11
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		151
                      Virtualization/Sandbox Evasion                      		Security Account Manager151
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      System Network Configuration Discovery                      		SSHKeylogging12
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                      Obfuscated Files or Information                      		Cached Domain Credentials2
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSync23
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1478314 Sample: Windows Defender.exe Startdate: 22/07/2024 Architecture: WINDOWS Score: 100 36 rest-root.gl.at.ply.gg 2->36 38 ip-api.com 2->38 46 Snort IDS alert for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 21 other signatures 2->52 8 Windows Defender.exe 15 6 2->8         started        13 Windows defender.exe 2->13         started        15 Windows defender.exe 2->15         started        signatures3 process4 dnsIp5 40 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 8->40 42 rest-root.gl.at.ply.gg 147.185.221.20, 22746, 49737, 49739 SALSGIVERUS United States 8->42 34 C:\Users\user\...\Windows defender.exe, PE32 8->34 dropped 54 Protects its processes via BreakOnTermination flag 8->54 56 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->56 58 Adds a directory exclusion to Windows Defender 8->58 17 powershell.exe 23 8->17         started        20 powershell.exe 23 8->20         started        22 powershell.exe 23 8->22         started        24 powershell.exe 8->24         started        file6 signatures7 process8 signatures9 44 Loading BitLocker PowerShell Module 17->44 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Windows Defender.exe74%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                      Windows Defender.exe100%AviraTR/Spy.Gen
                      Windows Defender.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\Windows defender.exe100%AviraTR/Spy.Gen
                      C:\Users\user\AppData\Roaming\Windows defender.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\Windows defender.exe74%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://nuget.org/NuGet.exe0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                      http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                      http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://nuget.org/nuget.exe0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://aka.ms/pscore680%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                      http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt00%Avira URL Cloudsafe
                      http://crl.m0%Avira URL Cloudsafe
                      http://crl.microso0%Avira URL Cloudsafe
                      http://www.microsoft.co0%Avira URL Cloudsafe
                      http://crl.mic0%Avira URL Cloudsafe
                      http://www.microsoft.?0%Avira URL Cloudsafe
                      http://osoft.co0%Avira URL Cloudsafe
                      http://crl.micft.cMicRosof0%Avira URL Cloudsafe
                      rest-root.gl.at.ply.gg100%Avira URL Cloudmalware
                      https://github.com/Pester/Pester0%Avira URL Cloudsafe
                      http://crl.micros0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ip-api.com
                      		208.95.112.1
                      		truetrue
                        		unknown
                        rest-root.gl.at.ply.gg
                        		147.185.221.20
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          rest-root.gl.at.ply.ggtrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://ip-api.com/line/?fields=hostingfalse
                          • URL Reputation: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://wwcrosoft.com/pki/certs/MicWinPCA_2010-07-06.crt0powershell.exe, 00000007.00000002.2013027015.000002C4FB0FF000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1770364691.000001836E151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1857314352.00000166CB7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1985826490.000002C490071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.mpowershell.exe, 00000001.00000002.1777599701.00000183768D1000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.microsopowershell.exe, 00000004.00000002.1872277415.00000166D3E9A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1754844090.000001835E309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB969000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1754844090.000001835E309000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB969000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1770364691.000001836E151000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1857314352.00000166CB7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1985826490.000002C490071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.microsoft.copowershell.exe, 0000000B.00000002.2221696230.000001732C5F3000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.micpowershell.exe, 00000007.00000002.2019157164.000002C4FB5E2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2192950897.0000017323D9F000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://osoft.copowershell.exe, 0000000B.00000002.2221696230.000001732C5A8000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.micft.cMicRosofpowershell.exe, 00000007.00000002.2019157164.000002C4FB5E2000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://aka.ms/pscore68powershell.exe, 00000001.00000002.1754844090.000001835E0E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313D31000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWindows Defender.exe, 00000000.00000002.2938486382.0000000002981000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1754844090.000001835E0E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1805611860.00000166BB741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1902775888.000002C480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2057100718.0000017313D31000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.microsoft.?powershell.exe, 0000000B.00000002.2218935309.000001732C280000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2057100718.0000017313F58000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.microspowershell.exe, 00000001.00000002.1776503483.0000018376630000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          208.95.112.1
                          		ip-api.comUnited States
                          		53334TUT-ASUStrue
                          147.185.221.20
                          		rest-root.gl.at.ply.ggUnited States
                          		12087SALSGIVERUStrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1478314
                          Start date and time:2024-07-22 14:02:08 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 35s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:16
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Windows Defender.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@15/21@2/2
                          EGA Information:
                          • Successful, ratio: 14.3%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 84
                          • Number of non-executed functions: 6
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target Windows defender.exe, PID 2896 because it is empty
                          • Execution Graph export aborted for target Windows defender.exe, PID 4144 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 1984 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 4296 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 6248 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 928 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: Windows Defender.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          08:03:05API Interceptor51x Sleep call for process: powershell.exe modified
                          08:03:57API Interceptor439899x Sleep call for process: Windows Defender.exe modified
                          13:03:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows defender C:\Users\user\AppData\Roaming\Windows defender.exe
                          13:04:05AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows defender C:\Users\user\AppData\Roaming\Windows defender.exe
                          13:04:13AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows defender.lnk

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          208.95.112.1Windows Defender.exeGet hashmaliciousXWormBrowse
                          • ip-api.com/line/?fields=hosting
                          kTWqylz02uGet hashmaliciousXehook StealerBrowse
                          • ip-api.com/json/?fields=11827
                          Injector.exeGet hashmaliciousZTratBrowse
                          • ip-api.com/xml/?fields=countryCode,query
                          2lDAndk18M.exeGet hashmaliciousAsyncRAT, Blank Grabber, DcRatBrowse
                          • ip-api.com/json/?fields=225545
                          e45AiBoV6X.exeGet hashmaliciousBlank GrabberBrowse
                          • ip-api.com/json/?fields=225545
                          iA8m9FfF5v.exeGet hashmaliciousDCRatBrowse
                          • ip-api.com/line/?fields=hosting
                          R6UcgOy5nE.rtfGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • ip-api.com/line/?fields=hosting
                          PR240614_ORDER.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                          • ip-api.com/line/?fields=hosting
                          IEnetcache.htaGet hashmaliciousCobalt Strike, AgentTesla, PureLog StealerBrowse
                          • ip-api.com/line/?fields=hosting
                          winiti.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • ip-api.com/line/?fields=hosting
                          147.185.221.20Ekpb7jn7mf.exeGet hashmaliciousRedLine, XWormBrowse
                          • pst-child.gl.at.ply.gg:9336/

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          ip-api.comWindows Defender.exeGet hashmaliciousXWormBrowse
                          • 208.95.112.1
                          kTWqylz02uGet hashmaliciousXehook StealerBrowse
                          • 208.95.112.1
                          Injector.exeGet hashmaliciousZTratBrowse
                          • 208.95.112.1
                          2lDAndk18M.exeGet hashmaliciousAsyncRAT, Blank Grabber, DcRatBrowse
                          • 208.95.112.1
                          e45AiBoV6X.exeGet hashmaliciousBlank GrabberBrowse
                          • 208.95.112.1
                          iA8m9FfF5v.exeGet hashmaliciousDCRatBrowse
                          • 208.95.112.1
                          R6UcgOy5nE.rtfGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 208.95.112.1
                          PR240614_ORDER.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                          • 208.95.112.1
                          IEnetcache.htaGet hashmaliciousCobalt Strike, AgentTesla, PureLog StealerBrowse
                          • 208.95.112.1
                          winiti.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 208.95.112.1

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          SALSGIVERUSsetup.exeGet hashmaliciousRedLineBrowse
                          • 147.185.221.21
                          setup.exeGet hashmaliciousRedLineBrowse
                          • 147.185.221.21
                          sqjxHtZQi8.jpg.ps1Get hashmaliciousArrowRATBrowse
                          • 147.185.221.18
                          listafamilia_caipira.docGet hashmaliciousArrowRATBrowse
                          • 147.185.221.18
                          47up6MR64o.exeGet hashmaliciousNjratBrowse
                          • 147.185.221.21
                          RdJ73GU3N1.exeGet hashmaliciousNjratBrowse
                          • 147.185.221.21
                          Ekpb7jn7mf.exeGet hashmaliciousRedLine, XWormBrowse
                          • 147.185.221.20
                          python.exeGet hashmaliciousXWormBrowse
                          • 147.185.221.21
                          setup.exeGet hashmaliciousXWormBrowse
                          • 147.185.221.21
                          real-al-d7ya.exeGet hashmaliciousXWormBrowse
                          • 147.185.221.20
                          TUT-ASUSWindows Defender.exeGet hashmaliciousXWormBrowse
                          • 208.95.112.1
                          kTWqylz02uGet hashmaliciousXehook StealerBrowse
                          • 208.95.112.1
                          Injector.exeGet hashmaliciousZTratBrowse
                          • 208.95.112.1
                          2lDAndk18M.exeGet hashmaliciousAsyncRAT, Blank Grabber, DcRatBrowse
                          • 208.95.112.1
                          e45AiBoV6X.exeGet hashmaliciousBlank GrabberBrowse
                          • 208.95.112.1
                          iA8m9FfF5v.exeGet hashmaliciousDCRatBrowse
                          • 208.95.112.1
                          R6UcgOy5nE.rtfGet hashmaliciousAgentTesla, PureLog StealerBrowse
                          • 208.95.112.1
                          PR240614_ORDER.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                          • 208.95.112.1
                          Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                          • 208.95.112.1
                          Roblox Account Manager.exeGet hashmaliciousUnknownBrowse
                          • 208.95.112.1

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows defender.exe.log

                          Download File
                          Process:C:\Users\user\AppData\Roaming\Windows defender.exe
                          File Type:CSV text
                          Category:dropped
                          Size (bytes):654
                          Entropy (8bit):5.380476433908377
                          Encrypted:false
                          SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                          MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                          SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                          SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                          SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:modified
                          Size (bytes):64
                          Entropy (8bit):0.34726597513537405
                          Encrypted:false
                          SSDEEP:3:Nlll:Nll
                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:@...e...........................................................

                          C:\Users\user\AppData\Local\Temp\Log.tmp

                          Download File
                          Process:C:\Users\user\Desktop\Windows Defender.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):35
                          Entropy (8bit):3.7071562309216133
                          Encrypted:false
                          SSDEEP:3:rRSFYJKXzovNsr4rn:EFYJKDoWrcn
                          MD5:BFABEC865892A34F532FABF984F7E156
                          SHA1:3C8292E49FEFD3DA96DBC289B36C4C710B0127E3
                          SHA-256:8C8E36E0088165B6606F75DF86D53D3527FD36518C5AAB07425969B066FEEEC6
                          SHA-512:CA042E157B8C0E728991567016DF2036D8E6E4311CC74E7DB8AB6335AC20C02BD8099F3248E82B8DB5C26A7C6B687D1D7A440EC77D55B3BAE42D3753DBD63129
                          Malicious:false
                          Preview:....### explorer ###..[WIN]r[WIN]r

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4d0gffu1.kdi.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5doctpg0.jh5.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a1yx1xhi.w2p.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a5afjpcb.rjj.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_an02oaqi.eh5.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bc0wv5r4.0qa.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2myxf2u.u24.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gfzetyab.ch1.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_irw4ztao.tgd.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1rp0ddx.gcr.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ksw5znke.o21.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mm2i0ohh.a1d.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqhw0umi.k2z.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_szj344xv.hhd.psm1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t4fvm4dp.z2f.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wwr51r4w.hm5.ps1

                          Download File
                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows defender.lnk

                          Download File
                          Process:C:\Users\user\Desktop\Windows Defender.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Jul 22 11:03:56 2024, mtime=Mon Jul 22 11:03:56 2024, atime=Mon Jul 22 11:03:56 2024, length=88704, window=hide
                          Category:dropped
                          Size (bytes):811
                          Entropy (8bit):5.095797699400048
                          Encrypted:false
                          SSDEEP:12:8OPPS4S5WC8dY//4Fyy+LcYwiz6pY6jAjrHo8W+YdYQPBmV:8w3r+AQyYcI6pYGAjE1+YdYQPBm
                          MD5:60BDB184ADAC1F9E0F66E722DD22FBEE
                          SHA1:2BC5CEDD1F34CF00CAC8F7E666FDEE5C9FA560FE
                          SHA-256:2744F9024E774F9AEE91FFDAB6680D800C0739E904688FF5EC866E4A0C0F32C6
                          SHA-512:91C628A19A047A590153F1FE038448A80D2493DA743C183333688AA04EB2C6F56BD120564BCC3B54E50BAB94009C9134814169144FF4882236660373D68447ED
                          Malicious:false
                          Preview:L..................F.... ..../.:/..../.:/..../.:/....Z........................:..DG..Yr?.D..U..k0.&...&......vk.v......../.....:/.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.X]`...........................%..A.p.p.D.a.t.a...B.V.1......X[`..Roaming.@......CW.^.X[`..............................R.o.a.m.i.n.g.....v.2..Z...X}` .WINDOW~1.EXE..Z.......X}`.X}`.........................#...W.i.n.d.o.w.s. .d.e.f.e.n.d.e.r...e.x.e.......b...............-.......a...........YC......C:\Users\user\AppData\Roaming\Windows defender.exe..#.....\.....\.....\.....\.....\.W.i.n.d.o.w.s. .d.e.f.e.n.d.e.r...e.x.e.`.......X.......226546...........hT..CrF.f4... ...w"H...,.......hT..CrF.f4... ...w"H...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                          C:\Users\user\AppData\Roaming\Windows defender.exe

                          Download File
                          Process:C:\Users\user\Desktop\Windows Defender.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):88704
                          Entropy (8bit):5.296346034099949
                          Encrypted:false
                          SSDEEP:1536:K3RREeTjJun+KfYlYXbv8Wb1b6d1CmOFcK/9K6:kREs8qwbvPBEnOJ/46
                          MD5:F6D9F758F360DECAF8E73F885BE02571
                          SHA1:FFC684A4500ADE8E4E10E341880480DB574A8642
                          SHA-256:03072C4ACDC40C9AA06AAB693D7A200934D5025D4C3CE46409AC6B435F2973BC
                          SHA-512:656F7FEFFFE7E2B42F0DB6D02DFE29E96F6BE8DC23D6BA4F26E7B73D604DACBA43818FF614A4D4790FD5EDCD5BE51C024892BED5335FA8644C0E342E1CCCA004
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Windows defender.exe, Author: Joe Security
                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Windows defender.exe, Author: Joe Security
                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Windows defender.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 74%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L~f.................$...........A... ...`....@.. ....................................@..................................A..W....`............................................................................... ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................A......H........a..........&.....................................................(....*.r...p*. ~.H.*..(....*.r!..p*. ...*.s.........s.........s.........s.........*.r...p*. .M^.*.r...p*.rG..p*. ..$.*.r...p*. E.r.*.r...p*. E/..*..((...*.r...p*. ..Q.*.r...p*. .[..*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Y...*"(....+.*&(....&+.*.+5sj... .... .'..ok...(,...~....-.(_...(Q...~....ol...&.-.*.r...p*. ..e.*.r...p*. ..m.*.r}..p*. .5..*.r...p*. ....*.rA..p*. S...*.r...p*.r...p*. *p{.*.rg.

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):5.296346034099949
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                          • Win32 Executable (generic) a (10002005/4) 49.75%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Windows Screen Saver (13104/52) 0.07%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          File name:Windows Defender.exe
                          File size:88'704 bytes
                          MD5:f6d9f758f360decaf8e73f885be02571
                          SHA1:ffc684a4500ade8e4e10e341880480db574a8642
                          SHA256:03072c4acdc40c9aa06aab693d7a200934d5025d4c3ce46409ac6b435f2973bc
                          SHA512:656f7fefffe7e2b42f0db6d02dfe29e96f6be8dc23d6ba4f26e7b73d604dacba43818ff614a4d4790fd5edcd5be51c024892bed5335fa8644c0e342e1ccca004
                          SSDEEP:1536:K3RREeTjJun+KfYlYXbv8Wb1b6d1CmOFcK/9K6:kREs8qwbvPBEnOJ/46
                          TLSH:E2837C187BF90129F2FFAFB19EF57257CA39F7231903911F24C5024A1627E85CD416A9
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L~f.................$...........A... ...`....@.. ....................................@................................

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0x4141fe
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x667E4CAA [Fri Jun 28 05:39:54 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x141a40x57.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x4f6.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x122040x12400638bb207169cf13de51fd880e97c8cb3False0.5870344606164384data5.906609628961811IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0x160000x4f60x600386de1d645b9b90b3cafc49ff9003d30False0.3802083333333333data3.783430525476147IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x180000xc0x2003d3b140fcc37af5c61cb73a8f3bd1afeFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0x160a00x26cdata0.4596774193548387
                          RT_MANIFEST0x1630c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Snort IDS Alerts

                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          07/22/24-14:04:13.386026TCP2855924ETPRO TROJAN Win32/XWorm V3 CnC Command - PING Outbound4973722746192.168.2.4147.185.221.20

                          Suricata IDS Alerts

                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                          2024-07-22T14:04:13.386026+0200TCP2855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound4973722746192.168.2.4147.185.221.20

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 22, 2024 14:03:04.769881010 CEST4973080192.168.2.4208.95.112.1
                          Jul 22, 2024 14:03:04.774959087 CEST8049730208.95.112.1192.168.2.4
                          Jul 22, 2024 14:03:04.775043011 CEST4973080192.168.2.4208.95.112.1
                          Jul 22, 2024 14:03:04.775739908 CEST4973080192.168.2.4208.95.112.1
                          Jul 22, 2024 14:03:04.782294035 CEST8049730208.95.112.1192.168.2.4
                          Jul 22, 2024 14:03:05.259407997 CEST8049730208.95.112.1192.168.2.4
                          Jul 22, 2024 14:03:05.303124905 CEST4973080192.168.2.4208.95.112.1
                          Jul 22, 2024 14:03:58.378910065 CEST4973722746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:03:58.383896112 CEST2274649737147.185.221.20192.168.2.4
                          Jul 22, 2024 14:03:58.383979082 CEST4973722746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:03:58.429825068 CEST4973722746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:03:58.434874058 CEST2274649737147.185.221.20192.168.2.4
                          Jul 22, 2024 14:04:13.386025906 CEST4973722746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:04:13.392611980 CEST2274649737147.185.221.20192.168.2.4
                          Jul 22, 2024 14:04:19.779156923 CEST2274649737147.185.221.20192.168.2.4
                          Jul 22, 2024 14:04:19.779266119 CEST4973722746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:04:20.804563046 CEST4973722746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:04:20.807214022 CEST4973922746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:04:20.811032057 CEST2274649737147.185.221.20192.168.2.4
                          Jul 22, 2024 14:04:20.813441992 CEST2274649739147.185.221.20192.168.2.4
                          Jul 22, 2024 14:04:20.813534021 CEST4973922746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:04:20.847573042 CEST4973922746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:04:20.852560043 CEST2274649739147.185.221.20192.168.2.4
                          Jul 22, 2024 14:04:31.616314888 CEST4973922746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:04:31.621498108 CEST2274649739147.185.221.20192.168.2.4
                          Jul 22, 2024 14:04:39.242496967 CEST8049730208.95.112.1192.168.2.4
                          Jul 22, 2024 14:04:39.242679119 CEST4973080192.168.2.4208.95.112.1
                          Jul 22, 2024 14:04:42.184952974 CEST2274649739147.185.221.20192.168.2.4
                          Jul 22, 2024 14:04:42.185118914 CEST4973922746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:04:44.240991116 CEST4973922746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:04:44.245713949 CEST4974022746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:04:44.246283054 CEST2274649739147.185.221.20192.168.2.4
                          Jul 22, 2024 14:04:44.251287937 CEST2274649740147.185.221.20192.168.2.4
                          Jul 22, 2024 14:04:44.251364946 CEST4974022746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:04:44.295217991 CEST4974022746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:04:44.300474882 CEST2274649740147.185.221.20192.168.2.4
                          Jul 22, 2024 14:04:45.281337976 CEST4973080192.168.2.4208.95.112.1
                          Jul 22, 2024 14:04:45.286533117 CEST8049730208.95.112.1192.168.2.4
                          Jul 22, 2024 14:04:56.944335938 CEST4974022746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:04:56.949459076 CEST2274649740147.185.221.20192.168.2.4
                          Jul 22, 2024 14:05:03.601577997 CEST4974022746192.168.2.4147.185.221.20
                          Jul 22, 2024 14:05:03.606717110 CEST2274649740147.185.221.20192.168.2.4
                          Jul 22, 2024 14:05:05.657170057 CEST2274649740147.185.221.20192.168.2.4
                          Jul 22, 2024 14:05:05.657843113 CEST4974022746192.168.2.4147.185.221.20

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jul 22, 2024 14:03:04.754777908 CEST6474953192.168.2.41.1.1.1
                          Jul 22, 2024 14:03:04.761980057 CEST53647491.1.1.1192.168.2.4
                          Jul 22, 2024 14:03:58.362199068 CEST4974753192.168.2.41.1.1.1
                          Jul 22, 2024 14:03:58.373526096 CEST53497471.1.1.1192.168.2.4

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Jul 22, 2024 14:03:04.754777908 CEST192.168.2.41.1.1.10xbb88Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                          Jul 22, 2024 14:03:58.362199068 CEST192.168.2.41.1.1.10x8a87Standard query (0)rest-root.gl.at.ply.ggA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jul 22, 2024 14:03:04.761980057 CEST1.1.1.1192.168.2.40xbb88No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                          Jul 22, 2024 14:03:58.373526096 CEST1.1.1.1192.168.2.40x8a87No error (0)rest-root.gl.at.ply.gg147.185.221.20A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • ip-api.com

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.449730208.95.112.1806848C:\Users\user\Desktop\Windows Defender.exe
                          TimestampBytes transferredDirectionData
                          Jul 22, 2024 14:03:04.775739908 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                          Host: ip-api.com
                          Connection: Keep-Alive
                          Jul 22, 2024 14:03:05.259407997 CEST175INHTTP/1.1 200 OK
                          Date: Mon, 22 Jul 2024 12:03:05 GMT
                          Content-Type: text/plain; charset=utf-8
                          Content-Length: 6
                          Access-Control-Allow-Origin: *
                          X-Ttl: 60
                          X-Rl: 44
                          Data Raw: 66 61 6c 73 65 0a
                          Data Ascii: false


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:08:02:59
                          Start date:22/07/2024
                          Path:C:\Users\user\Desktop\Windows Defender.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\Desktop\Windows Defender.exe"
                          Imagebase:0x670000
                          File size:88'704 bytes
                          MD5 hash:F6D9F758F360DECAF8E73F885BE02571
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2968960632.0000000012991000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2938486382.0000000002981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1679736888.0000000000672000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:1
                          Start time:08:03:04
                          Start date:22/07/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:2
                          Start time:08:03:04
                          Start date:22/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:08:03:10
                          Start date:22/07/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:08:03:10
                          Start date:22/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:7
                          Start time:08:03:20
                          Start date:22/07/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Windows defender.exe'
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:8
                          Start time:08:03:20
                          Start date:22/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:11
                          Start time:08:03:35
                          Start date:22/07/2024
                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows defender.exe'
                          Imagebase:0x7ff788560000
                          File size:452'608 bytes
                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:12
                          Start time:08:03:35
                          Start date:22/07/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:13
                          Start time:08:04:05
                          Start date:22/07/2024
                          Path:C:\Users\user\AppData\Roaming\Windows defender.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\AppData\Roaming\Windows defender.exe"
                          Imagebase:0x90000
                          File size:88'704 bytes
                          MD5 hash:F6D9F758F360DECAF8E73F885BE02571
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Windows defender.exe, Author: Joe Security
                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Windows defender.exe, Author: Joe Security
                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Windows defender.exe, Author: ditekSHen
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 74%, ReversingLabs
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:14
                          Start time:08:04:13
                          Start date:22/07/2024
                          Path:C:\Users\user\AppData\Roaming\Windows defender.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\AppData\Roaming\Windows defender.exe"
                          Imagebase:0xd50000
                          File size:88'704 bytes
                          MD5 hash:F6D9F758F360DECAF8E73F885BE02571
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:22.2%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:25%
                            Total number of Nodes:12
                            Total number of Limit Nodes:0

                            Executed Functions

                            Function 00007FFD9B8B1719 Relevance: 1.9, Strings: 1, Instructions: 610COMMON
                            Download Yara Rule

                            Control-flow Graph

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2979936942.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Windows Defender.jbxd
                            Similarity
                            • API ID:
                            • String ID: CAL_^
                            • API String ID: 0-3140518731
                            • Opcode ID: c9b0a12d4622f675291573715673f2a0cdf1a0a6c736f9cf29351741c778133f
                            • Instruction ID: c5b3e38cccf218dac2a8298713f6ea71aa0eef09282a8ddd133c5c59e339ae69
                            • Opcode Fuzzy Hash: c9b0a12d4622f675291573715673f2a0cdf1a0a6c736f9cf29351741c778133f
                            • Instruction Fuzzy Hash: 9012E461B29A5D4FE7A8FB7C98796B877D2EF98300F45057DE00DC32D6DE28A9018781
                            Function 00007FFD9B8B73F0 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 173 7ffd9b8b73f0-7ffd9b8b73f7 174 7ffd9b8b73f9-7ffd9b8b7401 173->174 175 7ffd9b8b7402-7ffd9b8b795d CheckRemoteDebuggerPresent 173->175 174->175 183 7ffd9b8b7965-7ffd9b8b79a8 175->183 184 7ffd9b8b795f 175->184 184->183
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2979936942.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Windows Defender.jbxd
                            Similarity
                            • API ID: CheckDebuggerPresentRemote
                            • String ID:
                            • API String ID: 3662101638-0
                            • Opcode ID: 9f1cc3b82476f9b52fa39f4df4e9a597362dc0b2534c35b70452523e20ce7ded
                            • Instruction ID: 03b7a69ae34bd550716d55016bd7f5e2f70add9cb41438c595bf355286d7338e
                            • Opcode Fuzzy Hash: 9f1cc3b82476f9b52fa39f4df4e9a597362dc0b2534c35b70452523e20ce7ded
                            • Instruction Fuzzy Hash: 39416831D0C75D8FDB19DF68885A6F97FF0EF26321F0442ABC489D7192DA24A816C791
                            Function 00007FFD9B8B108D Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 265 7ffd9b8b108d-7ffd9b8b10d9 271 7ffd9b8b10db-7ffd9b8b110d 265->271 272 7ffd9b8b110e-7ffd9b8b11ce 265->272 271->272 284 7ffd9b8b11d5-7ffd9b8b11d6 272->284 285 7ffd9b8b11d0 272->285 286 7ffd9b8b11d8 284->286 287 7ffd9b8b11dc-7ffd9b8b11de 284->287 285->284 286->287 288 7ffd9b8b11e0 287->288 289 7ffd9b8b11e3-7ffd9b8b11e6 287->289 288->289 290 7ffd9b8b11e8 289->290 291 7ffd9b8b11ea-7ffd9b8b11ee 289->291 290->291 292 7ffd9b8b11f0 291->292 293 7ffd9b8b11f1-7ffd9b8b1286 291->293 292->293
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2979936942.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Windows Defender.jbxd
                            Similarity
                            • API ID:
                            • String ID: CAL_^
                            • API String ID: 0-3140518731
                            • Opcode ID: 564ecf7a17d81520b0049e249eefa21ee534539cb81592f014c2075c5de7da7f
                            • Instruction ID: 0ba677ab27645d4a29cf2741ac34dc47e76ae7b09bd054fcf832ad802bd18e35
                            • Opcode Fuzzy Hash: 564ecf7a17d81520b0049e249eefa21ee534539cb81592f014c2075c5de7da7f
                            • Instruction Fuzzy Hash: 9A61EF13B0D5B29AD31BB7B9786A8EA3B10DF4237870841B7D09D8E0EB9C04208BC6D5
                            Function 00007FFD9B8B5F5E Relevance: .4, Instructions: 399COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2979936942.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Windows Defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 08d245fedc6f82d9fdadd8ba7d20c7cf1948bdf38de29989748a2354729597e3
                            • Instruction ID: 0f1095517de8a8564d0397b9db956b23f2bbd0f7e84e271818fbd2c8b79e1f64
                            • Opcode Fuzzy Hash: 08d245fedc6f82d9fdadd8ba7d20c7cf1948bdf38de29989748a2354729597e3
                            • Instruction Fuzzy Hash: 09D16170A18A4E8FEFA8DF28C8657E977E1FB58300F44426AE81DC7295DB34D9458B81
                            Function 00007FFD9B8B21B1 Relevance: .4, Instructions: 392COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2979936942.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Windows Defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 33822ebb9addfdf02e9178fbdb29e3ffc329a98e7abd8ae728cc7862c4d87ae4
                            • Instruction ID: f88bede76661490d545b2746c140ab4a8043aaf4234f68f8ce0c03569741f0b7
                            • Opcode Fuzzy Hash: 33822ebb9addfdf02e9178fbdb29e3ffc329a98e7abd8ae728cc7862c4d87ae4
                            • Instruction Fuzzy Hash: 28C1C560B1D95D4FEB98EBBC9875AB976D1FF9C300F05057AD04EC32E6DE28A9014781
                            Function 00007FFD9B8B6D0E Relevance: .4, Instructions: 382COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2979936942.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Windows Defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: df782f7d9e48fa13ba37f7cc8ea1870ff0a321c45b4e01de44a031539cb49b14
                            • Instruction ID: 297f90937b1cfea5b8da07e412dab87c3f08c3ee7cd7fb8d1a9dcd2a2911be4c
                            • Opcode Fuzzy Hash: df782f7d9e48fa13ba37f7cc8ea1870ff0a321c45b4e01de44a031539cb49b14
                            • Instruction Fuzzy Hash: 75D16270A08A4E8FEBA8DF28C8657E977E1FB58310F14826AD80DC7295DE74D9458BC1
                            Function 00007FFD9B8B8944 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 259COMMON
                            Download Yara Rule

                            Control-flow Graph

                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2979936942.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Windows Defender.jbxd
                            Similarity
                            • API ID:
                            • String ID: K_^$K_^$K_^
                            • API String ID: 0-2082226254
                            • Opcode ID: 79f43603be1b103148d55c5ae951f4c1984811b083ab7e9e0f2cdae98a50bb28
                            • Instruction ID: 68b44164f74864b3168a57a23f293233e3b0745003b3d51270aad3e22b2989b8
                            • Opcode Fuzzy Hash: 79f43603be1b103148d55c5ae951f4c1984811b083ab7e9e0f2cdae98a50bb28
                            • Instruction Fuzzy Hash: 2281907290F7D94FEB258B7888696A97FD0EF15310B0801FEC0D9871E3D91469478BC2
                            Function 00007FFD9B8B9BC8 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 186 7ffd9b8b9bc8-7ffd9b8b9bcf 187 7ffd9b8b9bda-7ffd9b8b9c4d 186->187 188 7ffd9b8b9bd1-7ffd9b8b9bd9 186->188 192 7ffd9b8b9cd9-7ffd9b8b9cdd 187->192 193 7ffd9b8b9c53-7ffd9b8b9c58 187->193 188->187 194 7ffd9b8b9c62-7ffd9b8b9c9f SetWindowsHookExW 192->194 195 7ffd9b8b9c5f-7ffd9b8b9c60 193->195 196 7ffd9b8b9ca7-7ffd9b8b9cd8 194->196 197 7ffd9b8b9ca1 194->197 195->194 197->196
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2979936942.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Windows Defender.jbxd
                            Similarity
                            • API ID: HookWindows
                            • String ID:
                            • API String ID: 2559412058-0
                            • Opcode ID: 2a0fa84812778fd4aa05413271715eeb74eadee4c6c95a36cb6b9e77363494b5
                            • Instruction ID: d8c809124914b62ea3e767dd20623acec44ae63a02f8d3897f1a9f0b4d7c0f6a
                            • Opcode Fuzzy Hash: 2a0fa84812778fd4aa05413271715eeb74eadee4c6c95a36cb6b9e77363494b5
                            • Instruction Fuzzy Hash: 8E413831A0CA5D4FDB18DF6C985A6F97BE1EF59320F10027EE019D3292CE64A8028BC1
                            Function 00007FFD9B8B96AD Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 200 7ffd9b8b96ad-7ffd9b8b9780 RtlSetProcessIsCritical 204 7ffd9b8b9788-7ffd9b8b97bd 200->204 205 7ffd9b8b9782 200->205 205->204
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2979936942.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Windows Defender.jbxd
                            Similarity
                            • API ID: CriticalProcess
                            • String ID:
                            • API String ID: 2695349919-0
                            • Opcode ID: 7dee23f77af0fad6c20588868ec8991768ef0eb8a42317fd9baf5811d50fea04
                            • Instruction ID: 10f1eb570703fcdce4c194db473ba55d7e9c094a3805fbeb61278b29b195efe6
                            • Opcode Fuzzy Hash: 7dee23f77af0fad6c20588868ec8991768ef0eb8a42317fd9baf5811d50fea04
                            • Instruction Fuzzy Hash: 7731F131A0CA588FDB29DB98D859AF97BE0FF65311F14413ED09AD3692CB206846CB81
                            Function 00007FFD9B8B78A1 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 207 7ffd9b8b78a1-7ffd9b8b795d CheckRemoteDebuggerPresent 211 7ffd9b8b7965-7ffd9b8b79a8 207->211 212 7ffd9b8b795f 207->212 212->211
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2979936942.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7ffd9b8b0000_Windows Defender.jbxd
                            Similarity
                            • API ID: CheckDebuggerPresentRemote
                            • String ID:
                            • API String ID: 3662101638-0
                            • Opcode ID: 410272233035cba68cfe4514f4400281b932252b75277665081f118b7c3b03f6
                            • Instruction ID: 664ca026ced6d21e92043a3328e58b725465192e5c2449e3db0ace006eb5053e
                            • Opcode Fuzzy Hash: 410272233035cba68cfe4514f4400281b932252b75277665081f118b7c3b03f6
                            • Instruction Fuzzy Hash: 8031D13190875C8FCB58DF58C88A7E97BF0EF65321F0542AAD489D7292DB34A846CB91

                            Executed Functions

                            Function 00007FFD9B8AA0D3 Relevance: .3, Instructions: 296COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1779270962.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 49cd5f50328b54479a7b21f411e146ffeae1ed100b394e41f9221478340e5fec
                            • Instruction ID: 2eae1817f576eef9a64b64e09644eab97cd3e2579824852b759591a84625edd0
                            • Opcode Fuzzy Hash: 49cd5f50328b54479a7b21f411e146ffeae1ed100b394e41f9221478340e5fec
                            • Instruction Fuzzy Hash: 9C31D67290F7C99FD7579B7898760D43FB0EF16215B0941F7C088CB0A3E929590AC7A2
                            Function 00007FFD9B974073 Relevance: .2, Instructions: 186COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1779824408.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a10f5eeaa053d3a8f8ced5343327a9d7f641f1fca1bba5cf61e155f9ea0d7e51
                            • Instruction ID: e43e6e8d3b6905554b32f47d1a164806a2bd6c51b31704e1c3f74ca7d93e7104
                            • Opcode Fuzzy Hash: a10f5eeaa053d3a8f8ced5343327a9d7f641f1fca1bba5cf61e155f9ea0d7e51
                            • Instruction Fuzzy Hash: B5516D32B2EA8A1FE7A9EA5C44A277877D1EF61610F1A40BEC15DC72E7DE14EC018341
                            Function 00007FFD9B974370 Relevance: .1, Instructions: 148COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1779824408.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 55f5b32cf8442571db9affca7f24f74f9d0015dcf92bc95625c88eb65bf5bf7c
                            • Instruction ID: f6e9fae60c6e922076a23ca9bff797d1f46c73781793e8d40d4bca35dba24c3c
                            • Opcode Fuzzy Hash: 55f5b32cf8442571db9affca7f24f74f9d0015dcf92bc95625c88eb65bf5bf7c
                            • Instruction Fuzzy Hash: 2A412832B1EA495FEBB9D66C54A06B877D1EF41720B1A01FED05DC72A7EA14AD018341
                            Function 00007FFD9B8A9758 Relevance: .1, Instructions: 131COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1779270962.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6fd4e2a6de0b7d0da04bb29c1d2ecb5314e3549c44e2bf30220bbb18148a3571
                            • Instruction ID: 0dcac71385152cd939d5dc2bec496e80cebc405c42e0177d8de1568f2e529d45
                            • Opcode Fuzzy Hash: 6fd4e2a6de0b7d0da04bb29c1d2ecb5314e3549c44e2bf30220bbb18148a3571
                            • Instruction Fuzzy Hash: 2331F971A0DB4C8FDB58DF5CA84A6A97BE0FB98310F00412FE449C3252DA20B955CBC2
                            Function 00007FFD9B78E384 Relevance: .1, Instructions: 126COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1778657807.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ffd9b78d000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 037ec217ec8a1f4add5ba0d4f3d783fe972df33df60dd7ce2647c4ebeec0a6c5
                            • Instruction ID: 1d45ca90c3ddab96827f82b3fd918f42dfdc4cc9be796aef4f3bbb9a4b49ef70
                            • Opcode Fuzzy Hash: 037ec217ec8a1f4add5ba0d4f3d783fe972df33df60dd7ce2647c4ebeec0a6c5
                            • Instruction Fuzzy Hash: EF41057150EFC84FE7668B2898959523FF0EF52321B1602EFD088CB1B3D725A846C792
                            Function 00007FFD9B8AA62C Relevance: .1, Instructions: 100COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1779270962.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 306649136122dcf15ea6f35d3e345230ba3d17a3671431f6fb56458c0b26a3b9
                            • Instruction ID: 7cadbb35c2d09efde5fee5c6f5957ed5d815cf1b77b473f42a4e0d84e7b684f2
                            • Opcode Fuzzy Hash: 306649136122dcf15ea6f35d3e345230ba3d17a3671431f6fb56458c0b26a3b9
                            • Instruction Fuzzy Hash: 8821F63190CB4C4FDB59DFAC984A7E97FE0EB96321F04416BD048C3166DA74981ACBA2
                            Function 00007FFD9B9740BF Relevance: .1, Instructions: 99COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1779824408.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c20c920b3b2d2656b19a3f5b67bc0c9d15851ba822b2c0b4a1fd180ebed491fb
                            • Instruction ID: fa42ca1b5918ae3dd5c81c662dddc9a7d55af4a936dae400b28d0493ef3985e4
                            • Opcode Fuzzy Hash: c20c920b3b2d2656b19a3f5b67bc0c9d15851ba822b2c0b4a1fd180ebed491fb
                            • Instruction Fuzzy Hash: 4621D422B2F98A1FE7B9EA5844A227863C1EF61610B4A40BDD05DC76F3DE14EC058341
                            Function 00007FFD9B9743BC Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1779824408.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a70fb6c63d59c64169331301140bf8703053b84d646118b30379a848593ff5bc
                            • Instruction ID: 54d2412bfeedaea2acf230110ab5433d0df1b05754b5f69a1a5e7b4e8ef2d697
                            • Opcode Fuzzy Hash: a70fb6c63d59c64169331301140bf8703053b84d646118b30379a848593ff5bc
                            • Instruction Fuzzy Hash: 9C11E032A1F54A5FE7B4DB6894B4AB877D1EF40620B5A00FED06DC72A7DA18AD008341
                            Function 00007FFD9B97681E Relevance: .1, Instructions: 60COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1779824408.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b2e57109e83ffd63a774ba556cc2f43849a7659506eff46130eefab4176b60cd
                            • Instruction ID: a6021d8578b11c86d28cc74dd02a12e05f4601c00fb9c68ec33508b85009ae3d
                            • Opcode Fuzzy Hash: b2e57109e83ffd63a774ba556cc2f43849a7659506eff46130eefab4176b60cd
                            • Instruction Fuzzy Hash: 5C110632B0E68D8FEB65DF9880A45A87BD1EF58314B1901FFC45CCB1A3DA256845C351
                            Function 00007FFD9B8A33B5 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000001.00000002.1779270962.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                            • Instruction ID: 2d8e5c199f5335979778887b622e34919a8febb75adba4d6537578fae4bb4e89
                            • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                            • Instruction Fuzzy Hash: 8601677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5DA36E882CB45

                            Non-executed Functions

                            Function 00007FFD9B8A8995 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1779270962.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: L_^$L_^$L_^$L_^
                            • API String ID: 0-2357752022
                            • Opcode ID: e466705ec08742da41894b9f04baeceae6a989c50e247a01cf473a3cc3ef8a91
                            • Instruction ID: f87e5c99aabb7507551220f377960b8bf8241e4bc58bb98d999c6066f36c58d2
                            • Opcode Fuzzy Hash: e466705ec08742da41894b9f04baeceae6a989c50e247a01cf473a3cc3ef8a91
                            • Instruction Fuzzy Hash: F841C4A3A0F6D61FE36647A948790D87FA0EF1676474E52F7C0D48B0A3ED18350B8262
                            Function 00007FFD9B8A8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000001.00000002.1779270962.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: L_^4$L_^7$L_^F$L_^J
                            • API String ID: 0-3225005683
                            • Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                            • Instruction ID: 45c46be07a9f83af549c3a923de6fc2add619ee1d317f12e50de848940673ccf
                            • Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                            • Instruction Fuzzy Hash: E721D4B77085259ED30A7BBDBC199ED3740CB9427834552B3D2A98B093EA1460878AE0

                            Executed Functions

                            Function 00007FFD9B8A644D Relevance: .7, Instructions: 710COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1876525040.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ffd9b8a5000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ac8a041a45bb0d04552ce95991b1711035e562df50e3eabc6bc006c1047b7e5f
                            • Instruction ID: 99b4d13a8ce7668c89b6f91b2809eae5a96b23a3c65df76af67d73c3eff1b752
                            • Opcode Fuzzy Hash: ac8a041a45bb0d04552ce95991b1711035e562df50e3eabc6bc006c1047b7e5f
                            • Instruction Fuzzy Hash: BCD19170A18A4D8FDF99DF58C455AE9BBE1FF68300F15416AD409D72AACB34E881CB81
                            Function 00007FFD9B97660A Relevance: .5, Instructions: 459COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1877304571.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5a1634a03f8608efede437dedec54bb9f2df027d2a3df464d63de78442fa99a9
                            • Instruction ID: 962fa847e47b7e34aa3cde484934c21690f78a486a2259734ebdf505cfbbfb23
                            • Opcode Fuzzy Hash: 5a1634a03f8608efede437dedec54bb9f2df027d2a3df464d63de78442fa99a9
                            • Instruction Fuzzy Hash: 22D15332B1FA8E1FEBA5EBA848A55B57BE1EF15310B0901FED05CC70E3DA18A805C341
                            Function 00007FFD9B976660 Relevance: .2, Instructions: 247COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1877304571.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8dedf78331b3e7051ce1bb5888860b3d86dee3845aff680552403194fb6606e7
                            • Instruction ID: 8211e824aa2d9128222bc24621cab9204207efb2042bb3ac57fcefca04b19f15
                            • Opcode Fuzzy Hash: 8dedf78331b3e7051ce1bb5888860b3d86dee3845aff680552403194fb6606e7
                            • Instruction Fuzzy Hash: 97710222A2FA8A6FEBB5DBA844B55747BD1EF11354F5A00FEC45CCB0E7D918AD058301
                            Function 00007FFD9B974073 Relevance: .2, Instructions: 186COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1877304571.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d317663e27b0410e7e06ba15693d616fdf3e0b914fe71523e07b3f727e6d89f1
                            • Instruction ID: 1afb3c6ea73830f5acaa1394e2cc0586d7f76be066b20bd054eb1e0124e7c9d9
                            • Opcode Fuzzy Hash: d317663e27b0410e7e06ba15693d616fdf3e0b914fe71523e07b3f727e6d89f1
                            • Instruction Fuzzy Hash: D8515C32B2EA8A1FE7A9DA5C44A277877D1EF65610F1A40BEC05DC72E7DE14EC058341
                            Function 00007FFD9B974370 Relevance: .1, Instructions: 148COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1877304571.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 80a5bad0a6d3d2faf5a2583b973adbb90b7a34509fe33fdf008901eb642e974e
                            • Instruction ID: 6de2264e7f631df2b3557682610194abe0128b33297d939ba8a7ad57f649c022
                            • Opcode Fuzzy Hash: 80a5bad0a6d3d2faf5a2583b973adbb90b7a34509fe33fdf008901eb642e974e
                            • Instruction Fuzzy Hash: C5412832B1EA495FEBB9D76C54A0AB877D1EF44720B1A01FFD05DC72A7EA14AD018341
                            Function 00007FFD9B8A9770 Relevance: .1, Instructions: 135COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1876525040.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ffd9b8a5000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1aaa6a182c753b873125e52feffcd2de5f32b394ee1a3b3d549eae2b8a38bb4c
                            • Instruction ID: 9906a063b2ec262ef4d5223db63e62765b62bcb41ead21633af8643dccc73d30
                            • Opcode Fuzzy Hash: 1aaa6a182c753b873125e52feffcd2de5f32b394ee1a3b3d549eae2b8a38bb4c
                            • Instruction Fuzzy Hash: 75410871A0DB888FDB189F5C9C4A6E97BE1FB99310F04416FE44983252CA70A915CBD2
                            Function 00007FFD9B78EE24 Relevance: .1, Instructions: 126COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1875536605.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ffd9b78d000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 42587e3067a16b26fa2baa920aaeacdc9ecfaa09402d0b268ac1b2b8ca23955c
                            • Instruction ID: bffcf16759a49eb4d83406b89019330bb84a713e6301c22ca356bccafd9b75eb
                            • Opcode Fuzzy Hash: 42587e3067a16b26fa2baa920aaeacdc9ecfaa09402d0b268ac1b2b8ca23955c
                            • Instruction Fuzzy Hash: C041267050EBC84FE7569B2898559523FF0EF52321B1A06EFD088CB5B3D625A846C792
                            Function 00007FFD9B9740BF Relevance: .1, Instructions: 99COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1877304571.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ad61e228790bd730147758ba5ef5494b57f33522a75067588e6f1cc3e1acc0a1
                            • Instruction ID: d71eba672d6b5e4675bfda0db32d6eb60ff6bcc259787d6dcb4e928996ba62ad
                            • Opcode Fuzzy Hash: ad61e228790bd730147758ba5ef5494b57f33522a75067588e6f1cc3e1acc0a1
                            • Instruction Fuzzy Hash: 7F21D422B3F98A1FE7B9EA5C44A227863C1EF61610B4A40BED05DC76F3DE14EC058341
                            Function 00007FFD9B8AA64C Relevance: .1, Instructions: 99COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1876525040.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ffd9b8a5000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 56d9c3351d0556f5ef5a2c286158c50b5da54216171a6d248ea58bfa93024606
                            • Instruction ID: 7971c9b4b9e564d96754bf6f55229576474e8459413b7cb8bda17dc70ba2d2e8
                            • Opcode Fuzzy Hash: 56d9c3351d0556f5ef5a2c286158c50b5da54216171a6d248ea58bfa93024606
                            • Instruction Fuzzy Hash: 1821F83190CB8C8FDB59DBAC9C4A7E97FE0EB96321F04416FD049C3162DA74A456CB92
                            Function 00007FFD9B9743BC Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1877304571.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9029fba18379893f5933a53bddb60205a1c294e63908d4cad707c93d2e09f9ba
                            • Instruction ID: 17e5e9630e1344e5d8794c4cb207d36aabf228b18f0abc42d059c1bff88669d7
                            • Opcode Fuzzy Hash: 9029fba18379893f5933a53bddb60205a1c294e63908d4cad707c93d2e09f9ba
                            • Instruction Fuzzy Hash: 3511E032A1F55A5FE7B4DB6894B4AB877D1EF40620B5A00FED06DC72A7DA18AD008341
                            Function 00007FFD9B8A33B5 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1876525040.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                            • Instruction ID: 2d8e5c199f5335979778887b622e34919a8febb75adba4d6537578fae4bb4e89
                            • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                            • Instruction Fuzzy Hash: 8601677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5DA36E882CB45
                            Function 00007FFD9B8AA2CA Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000004.00000002.1876525040.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ffd9b8a5000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c1f0b58ab0d2416ff5062d955b48444c41ca32d43afc64a58ee3dcde405cbb9
                            • Instruction ID: aabe3f058eb065872ea5b35f7dee8df68aab017cfb4a4c74e59d613a902ae3ef
                            • Opcode Fuzzy Hash: 3c1f0b58ab0d2416ff5062d955b48444c41ca32d43afc64a58ee3dcde405cbb9
                            • Instruction Fuzzy Hash: FEE09A31804A4C8FCB44EF18C8198E97BA0FF28200B00029BE80DC7120EB319A58CBC2

                            Non-executed Functions

                            Function 00007FFD9B8A8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000004.00000002.1876525040.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_4_2_7ffd9b8a5000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                            • API String ID: 0-1415242001
                            • Opcode ID: 376fa47dd52ce803f5d748140fcaab1eb293776c348edebb478c5cdf911be059
                            • Instruction ID: e7c9e3fbdb16d3d3ea5212ac3ffb3de1b4bcdf25e518ceaaa350289893b59a2e
                            • Opcode Fuzzy Hash: 376fa47dd52ce803f5d748140fcaab1eb293776c348edebb478c5cdf911be059
                            • Instruction Fuzzy Hash: E72107B37045258AC30A37ADBC559ED7780DF5437834551F3E228CF153EF24A48B8A80

                            Executed Functions

                            Function 00007FFD9B986651 Relevance: .4, Instructions: 407COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2023604335.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9b980000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 164be721688855adb895f4a42e259a2e0c38e407e5b503b0bb7ab9ae0949eefa
                            • Instruction ID: c5aaf5bcc36daa70c9f1c6eda5e2677568d9671d66625cfa8681e01a7bf6e956
                            • Opcode Fuzzy Hash: 164be721688855adb895f4a42e259a2e0c38e407e5b503b0bb7ab9ae0949eefa
                            • Instruction Fuzzy Hash: 48C14632B1FE8E1FEBA5EB6858659B57BD1EF11314F0901BED05CCB0E7D928A9018341
                            Function 00007FFD9B8B9F7A Relevance: .2, Instructions: 192COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2022545458.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 985c3135dc97695d2c51730c9adab06430882ecdd265e5f47a3592589296ca2a
                            • Instruction ID: 382fb155641cfa854274f0b3525ea456b5b1c78042994392dd08f0a4ddc3cad7
                            • Opcode Fuzzy Hash: 985c3135dc97695d2c51730c9adab06430882ecdd265e5f47a3592589296ca2a
                            • Instruction Fuzzy Hash: BA513073E0A5AD5FEF119B6C9CB60D53BA0EF1532CB0902B3D4988B0A3FC1525178AC5
                            Function 00007FFD9B984073 Relevance: .2, Instructions: 186COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2023604335.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9b980000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f843efc7113dd698ef003cbe93a769b6350b950e22042079912f920e74b370bf
                            • Instruction ID: 61b8e78fc2439f0b2abf8bb0d359078a6f2adcac4337b6c311126526ec0f3cab
                            • Opcode Fuzzy Hash: f843efc7113dd698ef003cbe93a769b6350b950e22042079912f920e74b370bf
                            • Instruction Fuzzy Hash: C2513A32B1EE4A1FE7AACA5C442277577D1DF65610B1A40BEC05DC72E3DE24EC058341
                            Function 00007FFD9B984370 Relevance: .1, Instructions: 148COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2023604335.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9b980000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 386fba00f1aec05f87c20066af534145a2ddc4078e65a75db37eb8e2d80f6121
                            • Instruction ID: 773438313d6bc596c8067f12ce7b6b2af0467f53327adf73de95181c7926c5cc
                            • Opcode Fuzzy Hash: 386fba00f1aec05f87c20066af534145a2ddc4078e65a75db37eb8e2d80f6121
                            • Instruction Fuzzy Hash: 67411832B1EE495FEBB9D7689421AB477D1EF45720B0901FFD05DC72A7EA24AD018341
                            Function 00007FFD9B8B9738 Relevance: .1, Instructions: 144COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2022545458.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a55989dc951cb66f7d4b5331e5bc4316f1f585661bcb52a97233c5982cc97ed7
                            • Instruction ID: cea387578a5cf14e564f3852fa0de91f7155f671de3aad1876c790f5ce947a13
                            • Opcode Fuzzy Hash: a55989dc951cb66f7d4b5331e5bc4316f1f585661bcb52a97233c5982cc97ed7
                            • Instruction Fuzzy Hash: 99412B71A1DA8C8FDB589F5C985A6F87BE0FB99310F40416FE44C83292DA70B805CBC6
                            Function 00007FFD9B79ED40 Relevance: .1, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2021493331.00007FFD9B79D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B79D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9b79d000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f77db892548f538af48977dcab5e8e6f971a1e002510841a18a4a4deb1457a32
                            • Instruction ID: 4879ba32cd3166bcc70a9351db64f12aa43e274eb80c0568bce58e0e9a5673e4
                            • Opcode Fuzzy Hash: f77db892548f538af48977dcab5e8e6f971a1e002510841a18a4a4deb1457a32
                            • Instruction Fuzzy Hash: C641197040EBC44FE7569B289C519523FF0EF57320B1A06DFD088CB1B7D625A849C792
                            Function 00007FFD9B8BA47C Relevance: .1, Instructions: 99COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2022545458.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2bfde10bf925b7128ccc304fd2e2c1ac5110e5c18b9e3c577b4a1900e24a67e9
                            • Instruction ID: 759926aa424e0fef542d58676fa8c1a593e9a3166c08f9f7fe80d1d234363702
                            • Opcode Fuzzy Hash: 2bfde10bf925b7128ccc304fd2e2c1ac5110e5c18b9e3c577b4a1900e24a67e9
                            • Instruction Fuzzy Hash: 7221FB3190C74C8FDB59DBAC984A7E97FF0EB96321F04416BD048C7162DA74941ACB91
                            Function 00007FFD9B9840BF Relevance: .1, Instructions: 99COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2023604335.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9b980000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0106c4ed1309b7b8ca34b7836acd00f0ce708b33e9b657760fa26723f4ea5361
                            • Instruction ID: 876df2ff60115744d931405f3f9be3fe764f27d979b06879d95746a0bd9ced05
                            • Opcode Fuzzy Hash: 0106c4ed1309b7b8ca34b7836acd00f0ce708b33e9b657760fa26723f4ea5361
                            • Instruction Fuzzy Hash: 7921D422B2FD8A5FE7BACA58446227567C2EF71210B4A40BDD05DC76F2DE28EC058341
                            Function 00007FFD9B9843BC Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2023604335.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9b980000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c9022572c0d154192e7b8b82b718ef0e499beb8632c66adb79ce9a7d8645943b
                            • Instruction ID: 42faef1c90582f5d7c35f329f233c0eaccda4441d2cb53ee199bc9beffe99cc6
                            • Opcode Fuzzy Hash: c9022572c0d154192e7b8b82b718ef0e499beb8632c66adb79ce9a7d8645943b
                            • Instruction Fuzzy Hash: 5911C232B1F94A5FE7B4DB689474AB877D1EF40720B4A00FED06DC76A7DA28AD008341
                            Function 00007FFD9B8B33B5 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2022545458.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                            • Instruction ID: 9bdfda7ff094c016ee29611a0f36b44afefaafe4c9d5040173e090ca4ad0f1af
                            • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                            • Instruction Fuzzy Hash: 8701A73120CB0C4FD748EF0CE451AA6B3E0FB89320F10056EE58AC36A1DA32E882CB41

                            Non-executed Functions

                            Function 00007FFD9B8B8995 Relevance: 5.1, Strings: 4, Instructions: 144COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2022545458.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: K_^$K_^$K_^$K_^
                            • API String ID: 0-4267328068
                            • Opcode ID: 73a614d9b72136a013eb0eb58cb3266f33f5f6a27a3d6056257ccb1cb7632dda
                            • Instruction ID: 9134bbec1382ab81a7d09c8de5c9b37defd145b29598d6ed450780716ef9598d
                            • Opcode Fuzzy Hash: 73a614d9b72136a013eb0eb58cb3266f33f5f6a27a3d6056257ccb1cb7632dda
                            • Instruction Fuzzy Hash: 7441B2A3A0F6E65FE726476848750D57FA0EF1636470E12F7C094CB0A3ED1825078692
                            Function 00007FFD9B8B8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2022545458.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: K_^4$K_^7$K_^F$K_^J
                            • API String ID: 0-377281160
                            • Opcode ID: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                            • Instruction ID: c815e6c2b718b347b84d3f063be8ded7c21d719f69ad06d17291c854427b9ce5
                            • Opcode Fuzzy Hash: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                            • Instruction Fuzzy Hash: 3421D4B77085269ED70A7B7DBC589E93BA0DB9827834542F3D1A9CB093E91460878AD0

                            Executed Functions

                            Function 00007FFD9B89644D Relevance: .7, Instructions: 711COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2229211297.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9fc60865d73ec97d4930e6f0b7d0b279c72289dfa7e99060a175e8352a764b2a
                            • Instruction ID: bbd46a950e0c3d9d7ea24f222880d3246c59e724e808535f6f4616b48e938195
                            • Opcode Fuzzy Hash: 9fc60865d73ec97d4930e6f0b7d0b279c72289dfa7e99060a175e8352a764b2a
                            • Instruction Fuzzy Hash: F1D19070A08A4D8FDF99DF58C465AE9BBE1FF68340F15416AD40DD72A6CB34E881CB81
                            Function 00007FFD9B966605 Relevance: .4, Instructions: 449COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2230304566.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8e09a63ca2b7cfd7283316cba39c56ecae0199bfad04abdbf8ee6c936e92318b
                            • Instruction ID: 8d49d2af17f1788a907b3a371322393d853158482bfcd8e8bcc12909303c6359
                            • Opcode Fuzzy Hash: 8e09a63ca2b7cfd7283316cba39c56ecae0199bfad04abdbf8ee6c936e92318b
                            • Instruction Fuzzy Hash: EED15732A1FB8E9FEBA5ABA858645F57BA0EF52314B0901FFD04CC70E7D918A901C341
                            Function 00007FFD9B89A0E0 Relevance: .3, Instructions: 266COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2229211297.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7814f7e0a36d8e0dabed448cd8b28201fc64d17b22e6c72d42c698dbabac6720
                            • Instruction ID: 9619f30209098dd1194e3846272a60d9d6ed22ae187036a583ff34f34c6d63ca
                            • Opcode Fuzzy Hash: 7814f7e0a36d8e0dabed448cd8b28201fc64d17b22e6c72d42c698dbabac6720
                            • Instruction Fuzzy Hash: F5219D6A90F7CD8FDB539B289C790D47FB0EE17214B0A01E7C089CB0B3D91859498792
                            Function 00007FFD9B899CF8 Relevance: .3, Instructions: 259COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2229211297.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e97886c6f08c9d7036c6affc2d904c539af7244021ae9897893081bab554b799
                            • Instruction ID: 4a09c5adc7ae05af7f59686c582fdf4020fda71117fb04246de26f1149b150e2
                            • Opcode Fuzzy Hash: e97886c6f08c9d7036c6affc2d904c539af7244021ae9897893081bab554b799
                            • Instruction Fuzzy Hash: A221D76190E7CA9FDB539B7848691A47FF0AF17250B0A00EBD488CB0B3D91999488393
                            Function 00007FFD9B964073 Relevance: .2, Instructions: 186COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2230304566.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 74e43b48d668f9f53452657ff4f9aeafc7ee462a438e1d4d181e3d9e4d279b05
                            • Instruction ID: f9b1bc33d2555e0d6b9d642e9f7a63c0b5a8b8bcf5927ec794576c2ee38c9a72
                            • Opcode Fuzzy Hash: 74e43b48d668f9f53452657ff4f9aeafc7ee462a438e1d4d181e3d9e4d279b05
                            • Instruction Fuzzy Hash: 43513832B1EA4A9FEBA9DA9C442267477D1EFA5610B1A40BFC05DC72E3DE14EC058341
                            Function 00007FFD9B964370 Relevance: .1, Instructions: 148COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2230304566.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bd9381b21987299c7fc454af861ca9bc8645e44c7c855c1dff19ec1488603a59
                            • Instruction ID: 8be2b91b14a67d2dd4a2c6ce2fb4938e74e544de53ccf46f9122cfd5f1136278
                            • Opcode Fuzzy Hash: bd9381b21987299c7fc454af861ca9bc8645e44c7c855c1dff19ec1488603a59
                            • Instruction Fuzzy Hash: CE412732B1EA4D9FEBB9D7A85421AB477D1EF85720B0901FFD05DC72A7EA14AD018381
                            Function 00007FFD9B899750 Relevance: .1, Instructions: 141COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2229211297.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dbba9530308ad645f004afff06599bd9512dccf8347e6862ddd44b971ade6c87
                            • Instruction ID: 96c0ac9101b0ca48e6db44437c2ff1c87884f1fd2b7ab5e85d54977e619b0df1
                            • Opcode Fuzzy Hash: dbba9530308ad645f004afff06599bd9512dccf8347e6862ddd44b971ade6c87
                            • Instruction Fuzzy Hash: E041387190DB884FDB18DF5C9C0A6A87FE1FB99310F04416FE499C3292DA70A905CBC2
                            Function 00007FFD9B77EE24 Relevance: .1, Instructions: 127COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2228001439.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_7ffd9b77d000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 430c45151810164b94d6cedf1e2af326b9912664325496a325f085520e945ae6
                            • Instruction ID: ce02415a2bb5e5bf7465528fb1c07ef794374bf43eeccb6c205456a99c0726ab
                            • Opcode Fuzzy Hash: 430c45151810164b94d6cedf1e2af326b9912664325496a325f085520e945ae6
                            • Instruction Fuzzy Hash: FE412B7180EBC44FE7568B3898519523FF4EF53320B1606EFD088CB5B3D665A846C792
                            Function 00007FFD9B89A64C Relevance: .1, Instructions: 99COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2229211297.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2c88dbca3cb1e399c283da8e57bbc583614839d2b1638f9fcf052ed7c1949137
                            • Instruction ID: 317c0696fb17cd71dd4de85e7a32bc129852e7f134e4ffccd5ca251606b0b686
                            • Opcode Fuzzy Hash: 2c88dbca3cb1e399c283da8e57bbc583614839d2b1638f9fcf052ed7c1949137
                            • Instruction Fuzzy Hash: 9221E43090CB4C8FDB59DBAC9C4A7E97FE0EF96321F04416BD048C7162DA74985ACB92
                            Function 00007FFD9B9640BF Relevance: .1, Instructions: 99COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2230304566.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 56208fa95018a2e975af7fe88065ddac3b81b11d643f7f1489a92ec30ea66fd6
                            • Instruction ID: a8cf20460a052dc331ea0fc982f3c9d826f847f8e6cb9a44081626c2608b0ad7
                            • Opcode Fuzzy Hash: 56208fa95018a2e975af7fe88065ddac3b81b11d643f7f1489a92ec30ea66fd6
                            • Instruction Fuzzy Hash: 2921D432F2FA8A9FE7B9DA98446227463C1EF61610B4B40BED05DC76F2DE14EC058341
                            Function 00007FFD9B9643BC Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2230304566.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: acdb4c62f6750c0f658b9c6fff8b56d15d41378510712998d4b3c4548d24ef6b
                            • Instruction ID: ccd5f01fda16953a8dfe00ba91a006f4cf96cf3824e1a2181313ba6d91330a11
                            • Opcode Fuzzy Hash: acdb4c62f6750c0f658b9c6fff8b56d15d41378510712998d4b3c4548d24ef6b
                            • Instruction Fuzzy Hash: B811E532B1F54A9FE7B5DBA89475AB877D1EF40720B4A00FED06DC72A7DA18AD008341
                            Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2229211297.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                            • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                            • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41

                            Non-executed Functions

                            Function 00007FFD9B898BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000B.00000002.2229211297.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                            Similarity
                            • API ID:
                            • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                            • API String ID: 0-962139525
                            • Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                            • Instruction ID: ad9997269ca045c2f6f29c292932e0e691c5b571fa522245f23bec43a457ca72
                            • Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                            • Instruction Fuzzy Hash: 2021C2B3B04525CAD30A36ACBC559D87780DF5437938603F3E029CF193F958A48B8A81

                            Executed Functions

                            Function 00007FFD9B871719 Relevance: .6, Instructions: 610COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f5887fd259358592b22fe3e6a0fa26481cab3346b383eeabd8346535af4a7523
                            • Instruction ID: 33172b99d47499bafa4c69033a44bad098e559844ca81c0e7e9994d621fd135d
                            • Opcode Fuzzy Hash: f5887fd259358592b22fe3e6a0fa26481cab3346b383eeabd8346535af4a7523
                            • Instruction Fuzzy Hash: 45120A61B29A494FEBA8FB7894B97B977D1FF9C704F400479E01DC32D6DE28A9018741
                            Function 00007FFD9B870AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID: 9P_^
                            • API String ID: 0-1898675183
                            • Opcode ID: 04fb4a6dcb0e193ebe92ddd58dcae2d3737d14456ecd34259aab13626812ab45
                            • Instruction ID: e9087739e97090c1850e2b8b2e7ab547cd927de92ccff08a015fc2524f699da5
                            • Opcode Fuzzy Hash: 04fb4a6dcb0e193ebe92ddd58dcae2d3737d14456ecd34259aab13626812ab45
                            • Instruction Fuzzy Hash: 21617B66B0952A8EE709F7FCB8A5AEC37A4EF88328B0401B7D01DC71D7DD64644783A0
                            Function 00007FFD9B870EB8 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4P_^
                            • API String ID: 0-2202116914
                            • Opcode ID: 4a83777e553423933c2e27e81ee8580615fc558f3a3ca505aabdc958f9b57775
                            • Instruction ID: 4bc4bde543e1e9aedbf387f1211c7cf4e7d63b7d15cd159725a203900f8bc99a
                            • Opcode Fuzzy Hash: 4a83777e553423933c2e27e81ee8580615fc558f3a3ca505aabdc958f9b57775
                            • Instruction Fuzzy Hash: 17417D21B1D94A0FE359B77C58669B977D1DF89228B0900BBD08DC71DBDD186C438392
                            Function 00007FFD9B8712D1 Relevance: .4, Instructions: 423COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 33583da1d3cb2fc2b460fb5779de76fd82fbd789e3c68af9e170c2970afe4115
                            • Instruction ID: 7412770e1531c0b2a54914a5d1a471fde662dcd74aa0232db6d32b8da1c8b87e
                            • Opcode Fuzzy Hash: 33583da1d3cb2fc2b460fb5779de76fd82fbd789e3c68af9e170c2970afe4115
                            • Instruction Fuzzy Hash: 53F0F973A1E98D0FF751E798C8B91A977E2FF48344F450576D054D35E2ED2476008341
                            Function 00007FFD9B870985 Relevance: .3, Instructions: 346COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0c39732a5ab2b02e887d811587aa1eb3a9cd00974e647180ef37394adea25b25
                            • Instruction ID: 2b93c05a331b84c08cd18c0ae9fa1937f862dd57b7ef32d30b8b4c9275cd0b02
                            • Opcode Fuzzy Hash: 0c39732a5ab2b02e887d811587aa1eb3a9cd00974e647180ef37394adea25b25
                            • Instruction Fuzzy Hash: 4FA1167A70852A8EE709BBBCB8959ED3B64EFC9324B0405B7D149CB0C7D9246487C7E0
                            Function 00007FFD9B8709D3 Relevance: .3, Instructions: 320COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6041d3e02ab8ed649f716f16a4a93e21ae264aefd73271ef4d23b80b30273885
                            • Instruction ID: bbff6e9c83a4f098c230df38c89df7fc792156928de1027ad6f0818c811d437f
                            • Opcode Fuzzy Hash: 6041d3e02ab8ed649f716f16a4a93e21ae264aefd73271ef4d23b80b30273885
                            • Instruction Fuzzy Hash: 4491266AB0852A9EE709BBBCB8559ED3B64EFC8334B0445B7D14DCB1D7D924208783E0
                            Function 00007FFD9B870A08 Relevance: .3, Instructions: 305COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 95208f970486b4a64516f1d677e978b5d6ef3bd7c3e82adfb617a01b70b8f470
                            • Instruction ID: 86b612a13569ba3ac1e929ebf8a559e6b45fc3ec26cccc65cfcf489bc111607d
                            • Opcode Fuzzy Hash: 95208f970486b4a64516f1d677e978b5d6ef3bd7c3e82adfb617a01b70b8f470
                            • Instruction Fuzzy Hash: 3D81266A70852A9EE709BBBCB855AED3B65EFC8324B0445B7D14DCB1C7D9242087C3E0
                            Function 00007FFD9B870A10 Relevance: .3, Instructions: 301COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a9648b049463d9f11ec692a7b0737d4f03b62760f2a3ac33fd565f773f0f964e
                            • Instruction ID: 82c285072051d09650b97b194ebdb15268749b8133f5d0bf2fe6d5a752f3825f
                            • Opcode Fuzzy Hash: a9648b049463d9f11ec692a7b0737d4f03b62760f2a3ac33fd565f773f0f964e
                            • Instruction Fuzzy Hash: 1381276A70852A9EE709BBBCB855AED3B64EFC8324B0445B7D04DCB1C7D9242087C3E0
                            Function 00007FFD9B870A48 Relevance: .3, Instructions: 270COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7a295bd2a957162da8a20374bf48ae65231af1d13053158f0c591ad08c125984
                            • Instruction ID: bd3f007de66ad87cd7775ed9fdd68d99d48fbf1c65a3d107cb01a97fabc112c1
                            • Opcode Fuzzy Hash: 7a295bd2a957162da8a20374bf48ae65231af1d13053158f0c591ad08c125984
                            • Instruction Fuzzy Hash: 2071387A70852A9EE709BBBCB855AED3BA5EFC8324B0405B7D04DC71D7D9246087C7A0
                            Function 00007FFD9B870D26 Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 10ad78b761106d78e2bcfe3979db1e668917a67d4039ac9894d93150e5c0755a
                            • Instruction ID: 1f1d298a3715954340f4b9f1d1358416a9f798fcc75464672bf35085c0f80ea6
                            • Opcode Fuzzy Hash: 10ad78b761106d78e2bcfe3979db1e668917a67d4039ac9894d93150e5c0755a
                            • Instruction Fuzzy Hash: 5E310551B29A4A4FEB99B7BC286A6FC76D2EF98710F0001BBE00DC32D7ED1868424351
                            Function 00007FFD9B870858 Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8b807ea3c9c46324872118cfffb486374db6bf0bc8419e9225ba201cdae700a2
                            • Instruction ID: e2a71b82d0a3d3780ef439e91ee421c98d7da51c9519b00c97f55a72a04de826
                            • Opcode Fuzzy Hash: 8b807ea3c9c46324872118cfffb486374db6bf0bc8419e9225ba201cdae700a2
                            • Instruction Fuzzy Hash: C3413761B0E6498FD349FBACA8B49E97F60EF89204B8040F7D05DC72DBDD3424058766
                            Function 00007FFD9B870BEC Relevance: .1, Instructions: 107COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 895c100aebbb59dced3339b7f2adb3cdc2712fd95a1997da7c2074362ed3c1e1
                            • Instruction ID: 73f4c4084bf4e2d0e51a3f71d70dd51fc448643fca300171b80e7dce9c70ddc7
                            • Opcode Fuzzy Hash: 895c100aebbb59dced3339b7f2adb3cdc2712fd95a1997da7c2074362ed3c1e1
                            • Instruction Fuzzy Hash: 47318170B1990E8FDB48EBA8D8A56FDB7A2FF98300F500579D01DD32CADD3869418751
                            Function 00007FFD9B871FEC Relevance: .1, Instructions: 102COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2b0a919bcd7ca7d08c1d4e9cd513684687de75b5500ef98606f6838061432fd9
                            • Instruction ID: b2e31e606521f27d77754e30be55a19c572edeec67acdb4db480d7d7a280e4e5
                            • Opcode Fuzzy Hash: 2b0a919bcd7ca7d08c1d4e9cd513684687de75b5500ef98606f6838061432fd9
                            • Instruction Fuzzy Hash: 78218221B189484FDB88EB2C9866678B6D2EF98715F0545BEE04EC32DBDD689C418741
                            Function 00007FFD9B870BD7 Relevance: .1, Instructions: 82COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6d79a0c25393b7dcef094745c73c2f73b428f3ad7b8a347e55b398734e918d37
                            • Instruction ID: 08cee5409d58c5db7dc1f3570d6441e26f9b40646c3f7291a77e17110cbaf958
                            • Opcode Fuzzy Hash: 6d79a0c25393b7dcef094745c73c2f73b428f3ad7b8a347e55b398734e918d37
                            • Instruction Fuzzy Hash: 8821A560B1A64E4FEB49E7A4D8B5AB97BA1FF89304B5004BAD019C72DBCD387801C311
                            Function 00007FFD9B87160C Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a635565549c01fc82664550d0ca83f9c21e8b76bf7a27cc00f597fee029f46ad
                            • Instruction ID: edc3da3fb67b14109dc216d1c386d6f936b73a7dd4645d2e21bb633b25c94589
                            • Opcode Fuzzy Hash: a635565549c01fc82664550d0ca83f9c21e8b76bf7a27cc00f597fee029f46ad
                            • Instruction Fuzzy Hash: 41F05272A1994E0FEB94E798C8A81EE73A2FB88380F440635E008D31D1ED202A008240
                            Function 00007FFD9B8720FC Relevance: .0, Instructions: 32COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000D.00000002.2371834851.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_13_2_7ffd9b870000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1964569f2751ee21422777c0682a7d21325ba7c26b3981509e7ff0757d230b78
                            • Instruction ID: 7cad4fb88ff6b0bdaac7f932ddfdbd49c7962de7f7294abbb7631cde3e4fcc99
                            • Opcode Fuzzy Hash: 1964569f2751ee21422777c0682a7d21325ba7c26b3981509e7ff0757d230b78
                            • Instruction Fuzzy Hash: CDF02711E199190BEB94BA6858A94797BD0EB98650B040439E84DC31E5DC28BA814381

                            Executed Functions

                            Function 00007FFD9B8A1719 Relevance: .6, Instructions: 610COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000E.00000002.2451365823.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_7ffd9b8a0000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ee6620e2b6634ae9d14ff923f418bb0be164ef155b4dece0290badc7ee076d99
                            • Instruction ID: 9590034dfb2ffb7e2b075be18889cd25c0c98a2477d8bd5937bcf662e3ea4409
                            • Opcode Fuzzy Hash: ee6620e2b6634ae9d14ff923f418bb0be164ef155b4dece0290badc7ee076d99
                            • Instruction Fuzzy Hash: 8A12E620B29A4D4FE7A8FB7888796B977D2FF9D704F4405B9E04DC32D6DD28A8418741
                            Function 00007FFD9B8A0AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.2451365823.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_7ffd9b8a0000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID: 9M_^
                            • API String ID: 0-1708477388
                            • Opcode ID: 2d3df78a4f4e36384caa4f20d6e978cb168a762e0233d7d4cc7f5702a104a730
                            • Instruction ID: 4fdb0b31ba13bc0c31d43b69a6b1b70d14c72975137d346a24c62b0d5efc2b4e
                            • Opcode Fuzzy Hash: 2d3df78a4f4e36384caa4f20d6e978cb168a762e0233d7d4cc7f5702a104a730
                            • Instruction Fuzzy Hash: 3E616825B1952ECAE709BBBCB8255FC77A1EF88329B0402B7D05DC71D7DD6864478390
                            Function 00007FFD9B8A0E8E Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000E.00000002.2451365823.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_7ffd9b8a0000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4M_^
                            • API String ID: 0-2545914641
                            • Opcode ID: 73d3827c188f3c9cf165654d4514f51af2900d4de119053c34c182ba3da64c84
                            • Instruction ID: 2baec7b7cd2ec88eca8d0eb1d3d7f3d38dad093b72918ad6e5a53fa5c927c1c7
                            • Opcode Fuzzy Hash: 73d3827c188f3c9cf165654d4514f51af2900d4de119053c34c182ba3da64c84
                            • Instruction Fuzzy Hash: E5512721B1E6CA0FE396A77898269B93BE1DF86224B0941FBD08DC71E7DC1C5C438352
                            Function 00007FFD9B8A1295 Relevance: .5, Instructions: 476COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000E.00000002.2451365823.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_7ffd9b8a0000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eee4ef67f3a416ec0bb3dbe1e1faad0845ecad9d3b2e59b44e47b7837bb70df8
                            • Instruction ID: 18ecdde429f5610d489a071f1f6c47ce9ec2ac105dec5797f8baf2a8ed532f7f
                            • Opcode Fuzzy Hash: eee4ef67f3a416ec0bb3dbe1e1faad0845ecad9d3b2e59b44e47b7837bb70df8
                            • Instruction Fuzzy Hash: 9621E633B0E69E4BE755FB6CA8764E977A1EF92214B0902B7D094CB093ED196402C250
                            Function 00007FFD9B8A0985 Relevance: .3, Instructions: 346COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000E.00000002.2451365823.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_7ffd9b8a0000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9ceab20a0b2492829b20516ddd513afd59090a8d8a5c594e72ae10b16d083c6c
                            • Instruction ID: d84bd8da0a0b8a261efe5572463967ff7a36573cef3e196b3fdf09189131f5af
                            • Opcode Fuzzy Hash: 9ceab20a0b2492829b20516ddd513afd59090a8d8a5c594e72ae10b16d083c6c
                            • Instruction Fuzzy Hash: 22A13326B0956E8ADB09BB7CB8655EC7BA0EF86335B0443F7D149CB1C7D928608787D0
                            Function 00007FFD9B8A09D3 Relevance: .3, Instructions: 320COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000E.00000002.2451365823.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_7ffd9b8a0000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6253016837ef247e629828d0fbc9cb69b8ca3873d3fe4f4c3d8066aa0b545070
                            • Instruction ID: e66e9b1a4d298d76377f39fe8239a9e8075cbea5b73c0e54c8757ffdbe69c669
                            • Opcode Fuzzy Hash: 6253016837ef247e629828d0fbc9cb69b8ca3873d3fe4f4c3d8066aa0b545070
                            • Instruction Fuzzy Hash: 0B910026B0996E8ADB09BB7CB8255ED7BA0EF85335B0442B7D149CB1C7DD28608787D0
                            Function 00007FFD9B8A0A08 Relevance: .3, Instructions: 305COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000E.00000002.2451365823.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_7ffd9b8a0000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9b7c70907cc0c5cdddc47c6dad6c317b3043ec134c7d313157960e974fe37d87
                            • Instruction ID: bf4f842b817c958e62133761f63c438c919aa6067e6eecf7acf8d460b5fe6225
                            • Opcode Fuzzy Hash: 9b7c70907cc0c5cdddc47c6dad6c317b3043ec134c7d313157960e974fe37d87
                            • Instruction Fuzzy Hash: 31811426B0996E8ADB09BB7CB8255ED7BA0EF85335B0442B7D04DCB1C7DD24604787D0
                            Function 00007FFD9B8A0A10 Relevance: .3, Instructions: 301COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000E.00000002.2451365823.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_7ffd9b8a0000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0aff7ee3437181615b5a2ece89dd91782db5d02660cb82e9a4e951cc5f95623a
                            • Instruction ID: 0a8153b30ec69ececd668f09e347de413dc30180eb072549f002996ce92a6cb1
                            • Opcode Fuzzy Hash: 0aff7ee3437181615b5a2ece89dd91782db5d02660cb82e9a4e951cc5f95623a
                            • Instruction Fuzzy Hash: C5810326B0996E8ADB09BB7CB8256ED7BA0EF85335B0442B7D04DCB1C7DD28604787D0
                            Function 00007FFD9B8A0A48 Relevance: .3, Instructions: 270COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000E.00000002.2451365823.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_7ffd9b8a0000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0c7ebe3263596b1154594da142f29ad4e5344879709ecfbf8ffd1db000c23976
                            • Instruction ID: 65e6e442e98f661995552da3c6cfa3b876c142d7a0671ba907aa9d3e76d3dfb3
                            • Opcode Fuzzy Hash: 0c7ebe3263596b1154594da142f29ad4e5344879709ecfbf8ffd1db000c23976
                            • Instruction Fuzzy Hash: E6711226B0996E8ADB09BB7CB8265ED7BA0EF85325B0442B7D04DC71C7DD286047C7D0
                            Function 00007FFD9B8A0D21 Relevance: .1, Instructions: 128COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000E.00000002.2451365823.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_7ffd9b8a0000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0343d27af3c45d29b31c0a04dc4be980720f1f7d6c3bee0b9366994ef33d4655
                            • Instruction ID: 15e373cfc2d1d6ee0c743ace11b639b5b44cd1ff7ff8313dc1cbb1950adc6769
                            • Opcode Fuzzy Hash: 0343d27af3c45d29b31c0a04dc4be980720f1f7d6c3bee0b9366994ef33d4655
                            • Instruction Fuzzy Hash: 7731D461B19A094FEB59BBAC6C297FC76D1EF98700F0502BBE00DC32D7ED1868418391
                            Function 00007FFD9B8A0858 Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000E.00000002.2451365823.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_7ffd9b8a0000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1867e2a9d015cdc5aa8471a345b2defbf8bfaa7f7794eeae5bc19b6fa6c1310a
                            • Instruction ID: 9af423a5a3200b96e4d18aa770494a1edff573e9d4fc568b4295e032fdb47aff
                            • Opcode Fuzzy Hash: 1867e2a9d015cdc5aa8471a345b2defbf8bfaa7f7794eeae5bc19b6fa6c1310a
                            • Instruction Fuzzy Hash: 12410920B0D6CD8FE359F76898758E87BE0EF49208B8181F6D09DC72D7ED2864058796
                            Function 00007FFD9B8A0BD3 Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000E.00000002.2451365823.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_7ffd9b8a0000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e9263deff363f4af1e5561dc790dea1039a9955a6e0f4e1c3337766e4f3e6c6a
                            • Instruction ID: 023a89940f9c9305a91ff641a6bf618bcedcc667078e5449285143b78ad9bc52
                            • Opcode Fuzzy Hash: e9263deff363f4af1e5561dc790dea1039a9955a6e0f4e1c3337766e4f3e6c6a
                            • Instruction Fuzzy Hash: 3341C320B19A4D8FEB99EB6898656FC77F2FF89300F5401BAD049D32D6DD3868428751
                            Function 00007FFD9B8A1FEC Relevance: .1, Instructions: 102COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000E.00000002.2451365823.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_7ffd9b8a0000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fa967f10faa7f0ecc8d56ea41b7e7b322ce0c608ca584fdf4a3b2d69f512a320
                            • Instruction ID: 4a7752eb4631460ba3df79d8760adc49f28b166d21d7d7545c45c0b92ea9fb54
                            • Opcode Fuzzy Hash: fa967f10faa7f0ecc8d56ea41b7e7b322ce0c608ca584fdf4a3b2d69f512a320
                            • Instruction Fuzzy Hash: 30218221B189484FE798EB2C982A678B6D2EF9C705F0545BEE04EC32D7DD689C418741
                            Function 00007FFD9B8A20E1 Relevance: .1, Instructions: 52COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000E.00000002.2451365823.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_14_2_7ffd9b8a0000_Windows defender.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3281dfb2180844a9e01550d74892f738f1666b26b7520d73bb74954e73acc683
                            • Instruction ID: 36031688036085ff5b3287539965df32d91bd3e0aa497f5c0eb6d17b3cb27a46
                            • Opcode Fuzzy Hash: 3281dfb2180844a9e01550d74892f738f1666b26b7520d73bb74954e73acc683
                            • Instruction Fuzzy Hash: 5F016821A0E7D90FE362AB784C658757FF0DF9575070805BAE4C9C71E3D918AA80C392