Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7LwVrYH7sy.exe

Overview

General Information

Sample name:7LwVrYH7sy.exe
renamed because original name is a hash value
Original sample name:98bb8993b66cdc1bab7ea0c412a867bc5ad074c22ce5ac22d2bc96855ca1829f.exe
Analysis ID:1530279
MD5:4f99e5e92e4eb0d0fa2aa397d5860ce2
SHA1:4a22ad6d61ec0430f49addafbc10f0124d125c40
SHA256:98bb8993b66cdc1bab7ea0c412a867bc5ad074c22ce5ac22d2bc96855ca1829f
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7LwVrYH7sy.exe (PID: 4044 cmdline: "C:\Users\user\Desktop\7LwVrYH7sy.exe" MD5: 4F99E5E92E4EB0D0FA2AA397D5860CE2)
    • powershell.exe (PID: 6052 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3792 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7LwVrYH7sy.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1912 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SystemUser.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • SystemUser.exe (PID: 6256 cmdline: "C:\Users\user\AppData\Roaming\SystemUser.exe" MD5: 4F99E5E92E4EB0D0FA2AA397D5860CE2)
  • SystemUser.exe (PID: 1168 cmdline: "C:\Users\user\AppData\Roaming\SystemUser.exe" MD5: 4F99E5E92E4EB0D0FA2AA397D5860CE2)
  • cleanup

Malware Configuration

Threatname: Xworm

{"C2 url": ["147.185.221.18"], "Port": "14512", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
7LwVrYH7sy.exeJoeSecurity_XWormYara detected XWormJoe Security
    7LwVrYH7sy.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      7LwVrYH7sy.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xd7a6:$s6: VirtualBox
      • 0xd704:$s8: Win32_ComputerSystem
      • 0xf55a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xf5f7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xf70c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xe9e3:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\SystemUser.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\SystemUser.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\SystemUser.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xd7a6:$s6: VirtualBox
          • 0xd704:$s8: Win32_ComputerSystem
          • 0xf55a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xf5f7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xf70c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xe9e3:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1241620548.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.1241620548.0000000000FA2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xd5a6:$s6: VirtualBox
            • 0xd504:$s8: Win32_ComputerSystem
            • 0xf35a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xf3f7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xf50c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xe7e3:$cnc4: POST / HTTP/1.1
            00000000.00000002.2499295314.00000000034B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              Process Memory Space: 7LwVrYH7sy.exe PID: 4044JoeSecurity_XWormYara detected XWormJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.7LwVrYH7sy.exe.fa0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.7LwVrYH7sy.exe.fa0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.7LwVrYH7sy.exe.fa0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xd7a6:$s6: VirtualBox
                    • 0xd704:$s8: Win32_ComputerSystem
                    • 0xf55a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0xf5f7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0xf70c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xe9e3:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7LwVrYH7sy.exe", ParentImage: C:\Users\user\Desktop\7LwVrYH7sy.exe, ParentProcessId: 4044, ParentProcessName: 7LwVrYH7sy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe', ProcessId: 6052, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7LwVrYH7sy.exe", ParentImage: C:\Users\user\Desktop\7LwVrYH7sy.exe, ParentProcessId: 4044, ParentProcessName: 7LwVrYH7sy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe', ProcessId: 6052, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\SystemUser.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\7LwVrYH7sy.exe, ProcessId: 4044, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUser
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7LwVrYH7sy.exe", ParentImage: C:\Users\user\Desktop\7LwVrYH7sy.exe, ParentProcessId: 4044, ParentProcessName: 7LwVrYH7sy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe', ProcessId: 6052, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7LwVrYH7sy.exe", ParentImage: C:\Users\user\Desktop\7LwVrYH7sy.exe, ParentProcessId: 4044, ParentProcessName: 7LwVrYH7sy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe', ProcessId: 6052, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-09T23:10:35.458943+020028559241Malware Command and Control Activity Detected192.168.2.749973147.185.221.1814512TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 7LwVrYH7sy.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: 7LwVrYH7sy.exeMalware Configuration Extractor: Xworm {"C2 url": ["147.185.221.18"], "Port": "14512", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeReversingLabs: Detection: 78%
                    Multi AV Scanner detection for submitted file
                    Source: 7LwVrYH7sy.exeReversingLabs: Detection: 78%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: 7LwVrYH7sy.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 7LwVrYH7sy.exeString decryptor: 147.185.221.18
                    Source: 7LwVrYH7sy.exeString decryptor: 14512
                    Source: 7LwVrYH7sy.exeString decryptor: <123456789>
                    Source: 7LwVrYH7sy.exeString decryptor: <Xwormmm>
                    Source: 7LwVrYH7sy.exeString decryptor: XWorm V5.6
                    Source: 7LwVrYH7sy.exeString decryptor: USB.exe
                    Source: 7LwVrYH7sy.exeString decryptor: %AppData%
                    Source: 7LwVrYH7sy.exeString decryptor: SystemUser.exe
                    Source: 7LwVrYH7sy.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 7LwVrYH7sy.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49973 -> 147.185.221.18:14512
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 147.185.221.18
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 7LwVrYH7sy.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.7LwVrYH7sy.exe.fa0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUser.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.7:49972 -> 147.185.221.18:14512
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 147.185.221.18 147.185.221.18
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: powershell.exe, 0000000F.00000002.1592537143.000001CF7BAC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1590739892.000001CF7B8E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                    Source: powershell.exe, 00000011.00000002.1811285850.00000299ACEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                    Source: powershell.exe, 00000011.00000002.1811285850.00000299ACEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                    Source: powershell.exe, 00000008.00000002.1347646318.000001E7D445A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                    Source: powershell.exe, 0000000F.00000002.1592537143.000001CF7BAC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
                    Source: powershell.exe, 0000000F.00000002.1582122264.000001CF79B05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftu
                    Source: 7LwVrYH7sy.exe, SystemUser.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000008.00000002.1342138642.000001E7CBFFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1425743236.000001F8AA6B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1562025089.000001CF1006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1779445860.00000299A479C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000011.00000002.1630165393.0000029994959000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000008.00000002.1347051029.000001E7D43F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.co
                    Source: powershell.exe, 00000008.00000002.1322985233.000001E7BC1B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1375888086.000001F89A868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1469783250.000001CF0022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1630165393.0000029994959000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: 7LwVrYH7sy.exe, 00000000.00000002.2499295314.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1322985233.000001E7BBF91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1375888086.000001F89A641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1469783250.000001CF00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1630165393.0000029994731000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000008.00000002.1322985233.000001E7BC1B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1375888086.000001F89A868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1469783250.000001CF0022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1630165393.0000029994959000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000011.00000002.1630165393.0000029994959000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000011.00000002.1809781014.00000299ACEAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                    Source: powershell.exe, 00000008.00000002.1347646318.000001E7D4494000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                    Source: powershell.exe, 00000008.00000002.1346899622.000001E7D4302000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: powershell.exe, 00000011.00000002.1811285850.00000299ACEF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coA
                    Source: powershell.exe, 0000000C.00000002.1442078517.000001F8B2D24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coq
                    Source: powershell.exe, 00000008.00000002.1322985233.000001E7BBF91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1375888086.000001F89A641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1469783250.000001CF00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1630165393.0000029994731000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000011.00000002.1779445860.00000299A479C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000011.00000002.1779445860.00000299A479C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000011.00000002.1779445860.00000299A479C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000011.00000002.1630165393.0000029994959000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000008.00000002.1342138642.000001E7CBFFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1425743236.000001F8AA6B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1562025089.000001CF1006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1779445860.00000299A479C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 7LwVrYH7sy.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.0.7LwVrYH7sy.exe.fa0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000000.1241620548.0000000000FA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeCode function: 0_2_00007FFAACCA69720_2_00007FFAACCA6972
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeCode function: 0_2_00007FFAACCA5BC60_2_00007FFAACCA5BC6
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeCode function: 0_2_00007FFAACCA1C260_2_00007FFAACCA1C26
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAACCA211B8_2_00007FFAACCA211B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAACD70B128_2_00007FFAACD70B12
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFAACD930E915_2_00007FFAACD930E9
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeCode function: 22_2_00007FFAACCD103822_2_00007FFAACCD1038
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeCode function: 23_2_00007FFAACCA103823_2_00007FFAACCA1038
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeCode function: 23_2_00007FFAACCA1C2623_2_00007FFAACCA1C26
                    Source: 7LwVrYH7sy.exe, 00000000.00000000.1241652907.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 7LwVrYH7sy.exe
                    Source: 7LwVrYH7sy.exeBinary or memory string: OriginalFilenameXClient.exe4 vs 7LwVrYH7sy.exe
                    Source: 7LwVrYH7sy.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 7LwVrYH7sy.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.0.7LwVrYH7sy.exe.fa0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000000.1241620548.0000000000FA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 7LwVrYH7sy.exe, kp2V64H9esPZoiVgTImWIpd3T0wx6egrH8emtjvn8XtTgCF1Y3PC0vawPbb5atkUdAcydYJOqmkRtyyfvh.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 7LwVrYH7sy.exe, 5njIlfOWWD34q6q4hhViUMoznrsghikwR5mIoOMwf09gSEXU5slzvTqvrJL7RGULTsPS5gyKSLxXnbpOPQ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 7LwVrYH7sy.exe, 5njIlfOWWD34q6q4hhViUMoznrsghikwR5mIoOMwf09gSEXU5slzvTqvrJL7RGULTsPS5gyKSLxXnbpOPQ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: SystemUser.exe.0.dr, kp2V64H9esPZoiVgTImWIpd3T0wx6egrH8emtjvn8XtTgCF1Y3PC0vawPbb5atkUdAcydYJOqmkRtyyfvh.csCryptographic APIs: 'TransformFinalBlock'
                    Source: SystemUser.exe.0.dr, 5njIlfOWWD34q6q4hhViUMoznrsghikwR5mIoOMwf09gSEXU5slzvTqvrJL7RGULTsPS5gyKSLxXnbpOPQ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: SystemUser.exe.0.dr, 5njIlfOWWD34q6q4hhViUMoznrsghikwR5mIoOMwf09gSEXU5slzvTqvrJL7RGULTsPS5gyKSLxXnbpOPQ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 7LwVrYH7sy.exe, ximn6HkKeGEC12l5aNK7XLvN81YNM66xIklRJ2XWOzro0i.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 7LwVrYH7sy.exe, ximn6HkKeGEC12l5aNK7XLvN81YNM66xIklRJ2XWOzro0i.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: SystemUser.exe.0.dr, ximn6HkKeGEC12l5aNK7XLvN81YNM66xIklRJ2XWOzro0i.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: SystemUser.exe.0.dr, ximn6HkKeGEC12l5aNK7XLvN81YNM66xIklRJ2XWOzro0i.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@15/20@1/2
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeFile created: C:\Users\user\AppData\Roaming\SystemUser.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:576:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2168:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4836:120:WilError_03
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeMutant created: \Sessions\1\BaseNamedObjects\4yiwjp8f0M3vNCGp
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2352:120:WilError_03
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                    Source: 7LwVrYH7sy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 7LwVrYH7sy.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 7LwVrYH7sy.exeReversingLabs: Detection: 78%
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeFile read: C:\Users\user\Desktop\7LwVrYH7sy.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\7LwVrYH7sy.exe "C:\Users\user\Desktop\7LwVrYH7sy.exe"
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7LwVrYH7sy.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SystemUser.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\SystemUser.exe "C:\Users\user\AppData\Roaming\SystemUser.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\SystemUser.exe "C:\Users\user\AppData\Roaming\SystemUser.exe"
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7LwVrYH7sy.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SystemUser.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: 7LwVrYH7sy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 7LwVrYH7sy.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 7LwVrYH7sy.exe, fxsPBBDTgZ6v0pvTdZCvdfCDLkspbWYr.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_9FLYcRbWk1kTnc.SZ7WKExrPtgs16,_9FLYcRbWk1kTnc.qa87SrVegTz83E,_9FLYcRbWk1kTnc.YvCLRIwPmLT4MO,_9FLYcRbWk1kTnc.Vp48QEfOrRiKIP,_5njIlfOWWD34q6q4hhViUMoznrsghikwR5mIoOMwf09gSEXU5slzvTqvrJL7RGULTsPS5gyKSLxXnbpOPQ.qbFLILMkHCVaYs4CS7cEGxHI()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 7LwVrYH7sy.exe, fxsPBBDTgZ6v0pvTdZCvdfCDLkspbWYr.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{dysuLRGPsgV0B30qtLQQMqpGxqZpl1lmuvtZbUiRjRTuo4qydj383a01qLtaomAf[2],_5njIlfOWWD34q6q4hhViUMoznrsghikwR5mIoOMwf09gSEXU5slzvTqvrJL7RGULTsPS5gyKSLxXnbpOPQ.RAOtOdWKBrc7adXFONL8x3V5(Convert.FromBase64String(dysuLRGPsgV0B30qtLQQMqpGxqZpl1lmuvtZbUiRjRTuo4qydj383a01qLtaomAf[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: SystemUser.exe.0.dr, fxsPBBDTgZ6v0pvTdZCvdfCDLkspbWYr.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_9FLYcRbWk1kTnc.SZ7WKExrPtgs16,_9FLYcRbWk1kTnc.qa87SrVegTz83E,_9FLYcRbWk1kTnc.YvCLRIwPmLT4MO,_9FLYcRbWk1kTnc.Vp48QEfOrRiKIP,_5njIlfOWWD34q6q4hhViUMoznrsghikwR5mIoOMwf09gSEXU5slzvTqvrJL7RGULTsPS5gyKSLxXnbpOPQ.qbFLILMkHCVaYs4CS7cEGxHI()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: SystemUser.exe.0.dr, fxsPBBDTgZ6v0pvTdZCvdfCDLkspbWYr.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{dysuLRGPsgV0B30qtLQQMqpGxqZpl1lmuvtZbUiRjRTuo4qydj383a01qLtaomAf[2],_5njIlfOWWD34q6q4hhViUMoznrsghikwR5mIoOMwf09gSEXU5slzvTqvrJL7RGULTsPS5gyKSLxXnbpOPQ.RAOtOdWKBrc7adXFONL8x3V5(Convert.FromBase64String(dysuLRGPsgV0B30qtLQQMqpGxqZpl1lmuvtZbUiRjRTuo4qydj383a01qLtaomAf[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: 7LwVrYH7sy.exe, fxsPBBDTgZ6v0pvTdZCvdfCDLkspbWYr.cs.Net Code: Ke2vOQjY4Gc4olDx4ecwbKfEsSbZZsUI System.AppDomain.Load(byte[])
                    Source: 7LwVrYH7sy.exe, fxsPBBDTgZ6v0pvTdZCvdfCDLkspbWYr.cs.Net Code: ZLlTXxfI584mIKvmDZxmV0PKGEqAbuosYY784OZ3YmTkMnYRHnx6Yw7MFydyV4OI System.AppDomain.Load(byte[])
                    Source: 7LwVrYH7sy.exe, fxsPBBDTgZ6v0pvTdZCvdfCDLkspbWYr.cs.Net Code: ZLlTXxfI584mIKvmDZxmV0PKGEqAbuosYY784OZ3YmTkMnYRHnx6Yw7MFydyV4OI
                    Source: SystemUser.exe.0.dr, fxsPBBDTgZ6v0pvTdZCvdfCDLkspbWYr.cs.Net Code: Ke2vOQjY4Gc4olDx4ecwbKfEsSbZZsUI System.AppDomain.Load(byte[])
                    Source: SystemUser.exe.0.dr, fxsPBBDTgZ6v0pvTdZCvdfCDLkspbWYr.cs.Net Code: ZLlTXxfI584mIKvmDZxmV0PKGEqAbuosYY784OZ3YmTkMnYRHnx6Yw7MFydyV4OI System.AppDomain.Load(byte[])
                    Source: SystemUser.exe.0.dr, fxsPBBDTgZ6v0pvTdZCvdfCDLkspbWYr.cs.Net Code: ZLlTXxfI584mIKvmDZxmV0PKGEqAbuosYY784OZ3YmTkMnYRHnx6Yw7MFydyV4OI
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAACB8D2A5 pushad ; iretd 8_2_00007FFAACB8D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAACD72316 push 8B485F95h; iretd 8_2_00007FFAACD7231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFAACD739D1 pushad ; retf 8_2_00007FFAACD739F1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAACB9D2A5 pushad ; iretd 12_2_00007FFAACB9D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAACCB00BD pushad ; iretd 12_2_00007FFAACCB00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAACD82316 push 8B485F94h; iretd 12_2_00007FFAACD8231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFAACBAD2A5 pushad ; iretd 15_2_00007FFAACBAD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFAACD92316 push 8B485F93h; iretd 15_2_00007FFAACD9231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAACB9D2A5 pushad ; iretd 17_2_00007FFAACB9D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAACD82316 push 8B485F94h; iretd 17_2_00007FFAACD8231B
                    Source: 7LwVrYH7sy.exe, ezFPTHzJaLIpKctPhuDzXUuP.csHigh entropy of concatenated method names: '_7bkMcnokonC1WccBZtFVCpco', 'XOEpZYniFI899DbDgaXMCDQJ', '_8h7dwaEJU7kDAXhoJlhBlv32', 'qxRISJ7WXq6ZF1pXNwe0u3fWF5RkGHYANJEvZXF1SjGFj7ZCgQa', '_1AYeKywSegrixxx1vM9onN2Tenop3sQzHidEUa37KDg0RsRsQDL', '_0InhDEf1yayQ7WTBi4Pw2j6GXPLvrTM5a5PMSWsdH8EVvNCaKjC', 'SP9TsmJcR7ZT4E3S7r8B2E2Yh65u2INcZE2erjkfjS9XSd8CHgH', 'evOmQnIQVO8c4h0YQYA0KMG7wxeUhWSKrm7nkmOZuDAesYrLWyK', 'qVDDQlzEDUEzEunD2DCBzRUpJhsR76pz97FKkkKApPtYd7LSbNP', 'yXFFeYjYHd2TAfi4xhtKzqyJjkPJqjA8GX0ZGlQEPVXBUY25bDp'
                    Source: 7LwVrYH7sy.exe, 9FLYcRbWk1kTnc.csHigh entropy of concatenated method names: 'MOK85FQqZXESGjZY3yXWyxYJaJWGjJJtVjj11CHZD', 'O4SjprATqeANw0f1m7mU6hjIHsrRtWXx5L2vi2Gbp', 'sThsA0yn6VT4TGBfIE8UNGKaPzlcnekQiVUErn8vH', 'DoZfz7DOfZWC3zkLpoKpThgTOnYXeXM9NQmfRLSCT'
                    Source: 7LwVrYH7sy.exe, 9yTDy1P4Q1apdx9Ah3XiCakvxe3g3DTHnCdIeEPTnPdd2ISF1MpulxBkpmhP7DCvoINhYesN.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'WrilJ2iDb8Af5wmTlKV1a7erbbxJoZA0cXXqCJOEt', 'RxilcFd2azOnswjl0wgJ9MmAnJOgL7lV1aQsLeGzN', '_8uMsatKhWXFywKrHdsB5skW55A0wBdWoiOaElTakT', 'A0f3kSlxi9dqyFshYoXP4kSYcmpwyva8bt464j6xe'
                    Source: 7LwVrYH7sy.exe, qBWzdfmOeuk6VQE2D6jj4wR88H8YxRdTWmxxGxr9xeFkLL.csHigh entropy of concatenated method names: '_7vASt3iZODcazTg52vKJ73KVU6PY66FuLLWHkdO94SBLXC', '_44ZqYMd1Hsy0sCWbSoUEyC7xwnktgqsQnx9qVRAC2j47Uc', 'fyAIwz2DAe0SACcGZMjLRvysMSsJjM92xErqepyQkNFcst', 'eXqNKBfSYT7IT4PtzKYVtqR3J794aKHFgfEmLCJlFBN9AK', 'h5hXZI59Vzi9MWPlzrjGhaL2Rv49Jd7CQX1EVfNbJo4917', 'eiK8S6HHQfxQnoUBcQLxD1wEOq7Ummz2mmHtV9K5eeEgNE', 'ynmbPcmOGQLyryHvJI2yj1GSlnQ09zRdxNXLwxHXWXopJO', '_19SvYd7jO75KYNSn3ldi5gj2Q5WofFDQjyC2mF4zTaOjbE', 'VLV2QIyj3QkjtoqKYyQDmJGnEDGj24Ot1TrVJtVa5oD76q', 'jN0gMVysOnGWcFzuKbxMvkk8CWJzVPVrtczdAUbNsGIjFX'
                    Source: 7LwVrYH7sy.exe, kp2V64H9esPZoiVgTImWIpd3T0wx6egrH8emtjvn8XtTgCF1Y3PC0vawPbb5atkUdAcydYJOqmkRtyyfvh.csHigh entropy of concatenated method names: 'usD0qvImEcpF1Oeqj6ny2D6pyCtgxt4bgpIINakFiHXbhYbVyfNsuKSyGtjz7YxBYnpQsbNqSKLpipUiGc', 'YLazJ0g85wekElkxHPwogd6CSKxtBBSvP', 'ETJfTVUnEMQuc9l4bZBD03xHUgDhNNomc', 'PREqbwgdYzcbZltBOgL3JFSO7NtGyTXws', 'tnmox01FG9dGmouK239ZOp0suIXnLNj5y'
                    Source: 7LwVrYH7sy.exe, S60rEQCeM04uUmX6ug90lEzkB6mmz971sPqZ7kI7AIuYBrS5KwmBKZKp0Xqytzq5.csHigh entropy of concatenated method names: 'zb62tZHbzNYODArG0ajIrkCZrmKIjzIccYT0iAtgXxbvPTRKarLKbBVdv6xe0GYY', '_74z1Qa5Y0vOGEG82S1UgYDInDcBP03lp4eQYrgdLOEDs7cI9D4fNLxGD0JTn6xd8', 'XoBgsyeRTAEzlfe2D7YrcMGcHiU2TXrwKVLG1xOPushPMiMfG4ZIDCuoCdDiIcbY', 'QkoYI2ZPS5wi9zXYYGRLwelv5ewQadVqAfRbcqthfksAvEQDgZMZfpeX1E8ZNmYD', 'BUUpUZ46jkK2aN1jbszmj23qewjKW9N4dCIrTEwHbR5KeBqCO', 'Jelt3EekNNGTmyiXQhvDGHWbHFovSKgxB6qRCttGzgkcKflok', 'CwhuGDy8tO1aZppGHfXps9gPHtBe5vbKBj3mjU1VtVAVMCslU', 'wgJDSkBjyxNMsAAj0x0AJlFNo6wlvD4JiB6I5Af5ysvCVUMWc', '_2kZ6b1a150XR3UCvSw4CqZhqjZ5jUr4c2JtIfhKygQBz4fEVX', 'xZIpUJOzQZ2BmFrnrUijbyKZCaY5hKfNrLbvbI5Igxh69kD1w'
                    Source: 7LwVrYH7sy.exe, ximn6HkKeGEC12l5aNK7XLvN81YNM66xIklRJ2XWOzro0i.csHigh entropy of concatenated method names: 'qQG3oDR66gIGRMTyhsvSkDVX0JdTb1AJ', 'Itm9SSjfDe3k1XhprmKxaIsdnTdJpCr6', 'cCXKkAT0J5iJNbj36YQ4GW5z6SA02Jrq', 'rgaD41sGcQbLLrKJtTS9V8JilJWmY0v2', '_8bkFdZn06oR2rpKtdHLpOXlHgGlAkisN', 'My4JzhZceP6ffJdGdIeHI0KDVCAJ1cYe', 'nd4FxkyYj38ugdBz0eqE4UX69kYcVKJR', 'Uep79HUkyrgSZHYXm0EYlk8ni98FSUke', 'fpv7HcwbBvR4M1QI21sRnmzL0Ah0a1Fi', '_3elmQ8m6SqZSX9XqHtWnvKr57ao4bEhG'
                    Source: 7LwVrYH7sy.exe, fxsPBBDTgZ6v0pvTdZCvdfCDLkspbWYr.csHigh entropy of concatenated method names: 'lucWIOqDu7SDkaccxEdtgIDEveB6prdU', 'Ke2vOQjY4Gc4olDx4ecwbKfEsSbZZsUI', 'MbUm1GR52skywhDX6uWUHUqDpw83qxRG', 'lJDMobP1hHpmWvS9NhmhedIiRjExxhZM', 'sPOaNUVPAm4JgQDlPKAllMiLIzcQhNT9', 'b9pvA2tnlykz4EYsI9DXWyaoAJWPYqxK', 'BxBRlYVBq3vmuT6vi53cJnq6GmMigElW', '_3x5Rsb0p6rXVnHCDiN6NfA8GpTArbqyU', 'GldedK7ictWe79oyGIQFDhwpg4fKILDjgjcU4U1nyLvHLWt4OwjUjaw81oKr1nJU', 'liIS3PjcLBmkSxmbfnIj4Nb16vVY5T1ney4VPHHAOIuTuDcMogimi24BfyJlM6ax'
                    Source: 7LwVrYH7sy.exe, M5lnys9o6IDNdHMVARSFPRqdPJ5HEJXcfH7CfOnGfP5JvnF5nvJbpzQa97EUaFP3RRf8OO4dKzJHT81VIZ.csHigh entropy of concatenated method names: 'CswwROom758rEddwGRbYU4PfHZr4ZjsXX6QLSiSJphogFn41w9ngR12dxT5gqwSuzIuChImMpDPAiVOF13', 'M0MnxlGw2yta2oFeaw82hmGPK6SMk5Q4QMIyFm4BebVUwe9LGvQZlrtCLMQBF4r333puehuMFcRQgBLSFt', 'eBAx6YC53jHJV6eOum7pJb4bbRNXWzIsO1g5c3f93uMeaSCIqqMrqkkOzKR9L8ge2HqpDpbDnyHlLj8qNU', 'TFwoLNsH9Gihjh3rjrwCsL3scay3nyJeaZVUKPbXgZVdmeInsIvmz5b2XHVaIkEao4TcQnNTzq5nS9Zu1a', 'PcmspIASH1BpbrsRTn1GfmKr8gPZwEmnF', 'kueIj5KrB5Cq9A0tHWJkPO3ATb2fl5gab', 'OYhq2IskHrH6pppd6xFVCauLAQvLfahTi', 'H5Ukqzh5ds156W4p0IVsXSGycpM5RYCd9', '_2xBM63SNiYlKcb7g7RIRLRRWtYZzpNQbO', 'bPGvYizmFP12FHfXlR3CyuYKFleS0qZ5L'
                    Source: 7LwVrYH7sy.exe, 5njIlfOWWD34q6q4hhViUMoznrsghikwR5mIoOMwf09gSEXU5slzvTqvrJL7RGULTsPS5gyKSLxXnbpOPQ.csHigh entropy of concatenated method names: 'FDOR0VNhC1xIyxpHY6sAxDnAMj2BAafHfTtYufY4I0j0gQSMt6ItoL2NO1tsbfXD3FRDHTFv7weC02sZCN', 'pv7HA3D1zs3YFAi37WxJSiZA', '_0b9T6pJqjH1bCTHWxfazhCki', 'YvN3WJSZamcT71LH09XOz9s6', 'zfvzOx8Iwrke7NMHj9BfgdRo', 'd0FpsAD7Pz2BmOp2bnKI91NH', 'evXyN4G6IUJMXH4IGBKJZ3cL', 'cZ9fcrKk4pUJC4ZQynRQNpnZ', '_3JHYfhemvl9d9dt4h2pfwsO0', 'a03XnLnbKaeqNMuHf6Kpi2wL'
                    Source: 7LwVrYH7sy.exe, C99eak6kf4CFZXWqst3XYEOW8nD2rEsw5RRZPX0dDXlQTgYhQhlVpprjOFlgLLcI.csHigh entropy of concatenated method names: 'VP6m5tIaDwMw294mVzCVExu4YlpvSdJ3cPrp6PLvPKLbqZbZ1E93FFFwOv8YGYOo', 'sPfKm83KgafEJOPO', '_29bb85gMyraJABWz', '_5jd9HgYAjnFvon1R', 'ioWh8wh8XIF7ahYV'
                    Source: SystemUser.exe.0.dr, ezFPTHzJaLIpKctPhuDzXUuP.csHigh entropy of concatenated method names: '_7bkMcnokonC1WccBZtFVCpco', 'XOEpZYniFI899DbDgaXMCDQJ', '_8h7dwaEJU7kDAXhoJlhBlv32', 'qxRISJ7WXq6ZF1pXNwe0u3fWF5RkGHYANJEvZXF1SjGFj7ZCgQa', '_1AYeKywSegrixxx1vM9onN2Tenop3sQzHidEUa37KDg0RsRsQDL', '_0InhDEf1yayQ7WTBi4Pw2j6GXPLvrTM5a5PMSWsdH8EVvNCaKjC', 'SP9TsmJcR7ZT4E3S7r8B2E2Yh65u2INcZE2erjkfjS9XSd8CHgH', 'evOmQnIQVO8c4h0YQYA0KMG7wxeUhWSKrm7nkmOZuDAesYrLWyK', 'qVDDQlzEDUEzEunD2DCBzRUpJhsR76pz97FKkkKApPtYd7LSbNP', 'yXFFeYjYHd2TAfi4xhtKzqyJjkPJqjA8GX0ZGlQEPVXBUY25bDp'
                    Source: SystemUser.exe.0.dr, 9FLYcRbWk1kTnc.csHigh entropy of concatenated method names: 'MOK85FQqZXESGjZY3yXWyxYJaJWGjJJtVjj11CHZD', 'O4SjprATqeANw0f1m7mU6hjIHsrRtWXx5L2vi2Gbp', 'sThsA0yn6VT4TGBfIE8UNGKaPzlcnekQiVUErn8vH', 'DoZfz7DOfZWC3zkLpoKpThgTOnYXeXM9NQmfRLSCT'
                    Source: SystemUser.exe.0.dr, 9yTDy1P4Q1apdx9Ah3XiCakvxe3g3DTHnCdIeEPTnPdd2ISF1MpulxBkpmhP7DCvoINhYesN.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'WrilJ2iDb8Af5wmTlKV1a7erbbxJoZA0cXXqCJOEt', 'RxilcFd2azOnswjl0wgJ9MmAnJOgL7lV1aQsLeGzN', '_8uMsatKhWXFywKrHdsB5skW55A0wBdWoiOaElTakT', 'A0f3kSlxi9dqyFshYoXP4kSYcmpwyva8bt464j6xe'
                    Source: SystemUser.exe.0.dr, qBWzdfmOeuk6VQE2D6jj4wR88H8YxRdTWmxxGxr9xeFkLL.csHigh entropy of concatenated method names: '_7vASt3iZODcazTg52vKJ73KVU6PY66FuLLWHkdO94SBLXC', '_44ZqYMd1Hsy0sCWbSoUEyC7xwnktgqsQnx9qVRAC2j47Uc', 'fyAIwz2DAe0SACcGZMjLRvysMSsJjM92xErqepyQkNFcst', 'eXqNKBfSYT7IT4PtzKYVtqR3J794aKHFgfEmLCJlFBN9AK', 'h5hXZI59Vzi9MWPlzrjGhaL2Rv49Jd7CQX1EVfNbJo4917', 'eiK8S6HHQfxQnoUBcQLxD1wEOq7Ummz2mmHtV9K5eeEgNE', 'ynmbPcmOGQLyryHvJI2yj1GSlnQ09zRdxNXLwxHXWXopJO', '_19SvYd7jO75KYNSn3ldi5gj2Q5WofFDQjyC2mF4zTaOjbE', 'VLV2QIyj3QkjtoqKYyQDmJGnEDGj24Ot1TrVJtVa5oD76q', 'jN0gMVysOnGWcFzuKbxMvkk8CWJzVPVrtczdAUbNsGIjFX'
                    Source: SystemUser.exe.0.dr, kp2V64H9esPZoiVgTImWIpd3T0wx6egrH8emtjvn8XtTgCF1Y3PC0vawPbb5atkUdAcydYJOqmkRtyyfvh.csHigh entropy of concatenated method names: 'usD0qvImEcpF1Oeqj6ny2D6pyCtgxt4bgpIINakFiHXbhYbVyfNsuKSyGtjz7YxBYnpQsbNqSKLpipUiGc', 'YLazJ0g85wekElkxHPwogd6CSKxtBBSvP', 'ETJfTVUnEMQuc9l4bZBD03xHUgDhNNomc', 'PREqbwgdYzcbZltBOgL3JFSO7NtGyTXws', 'tnmox01FG9dGmouK239ZOp0suIXnLNj5y'
                    Source: SystemUser.exe.0.dr, S60rEQCeM04uUmX6ug90lEzkB6mmz971sPqZ7kI7AIuYBrS5KwmBKZKp0Xqytzq5.csHigh entropy of concatenated method names: 'zb62tZHbzNYODArG0ajIrkCZrmKIjzIccYT0iAtgXxbvPTRKarLKbBVdv6xe0GYY', '_74z1Qa5Y0vOGEG82S1UgYDInDcBP03lp4eQYrgdLOEDs7cI9D4fNLxGD0JTn6xd8', 'XoBgsyeRTAEzlfe2D7YrcMGcHiU2TXrwKVLG1xOPushPMiMfG4ZIDCuoCdDiIcbY', 'QkoYI2ZPS5wi9zXYYGRLwelv5ewQadVqAfRbcqthfksAvEQDgZMZfpeX1E8ZNmYD', 'BUUpUZ46jkK2aN1jbszmj23qewjKW9N4dCIrTEwHbR5KeBqCO', 'Jelt3EekNNGTmyiXQhvDGHWbHFovSKgxB6qRCttGzgkcKflok', 'CwhuGDy8tO1aZppGHfXps9gPHtBe5vbKBj3mjU1VtVAVMCslU', 'wgJDSkBjyxNMsAAj0x0AJlFNo6wlvD4JiB6I5Af5ysvCVUMWc', '_2kZ6b1a150XR3UCvSw4CqZhqjZ5jUr4c2JtIfhKygQBz4fEVX', 'xZIpUJOzQZ2BmFrnrUijbyKZCaY5hKfNrLbvbI5Igxh69kD1w'
                    Source: SystemUser.exe.0.dr, ximn6HkKeGEC12l5aNK7XLvN81YNM66xIklRJ2XWOzro0i.csHigh entropy of concatenated method names: 'qQG3oDR66gIGRMTyhsvSkDVX0JdTb1AJ', 'Itm9SSjfDe3k1XhprmKxaIsdnTdJpCr6', 'cCXKkAT0J5iJNbj36YQ4GW5z6SA02Jrq', 'rgaD41sGcQbLLrKJtTS9V8JilJWmY0v2', '_8bkFdZn06oR2rpKtdHLpOXlHgGlAkisN', 'My4JzhZceP6ffJdGdIeHI0KDVCAJ1cYe', 'nd4FxkyYj38ugdBz0eqE4UX69kYcVKJR', 'Uep79HUkyrgSZHYXm0EYlk8ni98FSUke', 'fpv7HcwbBvR4M1QI21sRnmzL0Ah0a1Fi', '_3elmQ8m6SqZSX9XqHtWnvKr57ao4bEhG'
                    Source: SystemUser.exe.0.dr, fxsPBBDTgZ6v0pvTdZCvdfCDLkspbWYr.csHigh entropy of concatenated method names: 'lucWIOqDu7SDkaccxEdtgIDEveB6prdU', 'Ke2vOQjY4Gc4olDx4ecwbKfEsSbZZsUI', 'MbUm1GR52skywhDX6uWUHUqDpw83qxRG', 'lJDMobP1hHpmWvS9NhmhedIiRjExxhZM', 'sPOaNUVPAm4JgQDlPKAllMiLIzcQhNT9', 'b9pvA2tnlykz4EYsI9DXWyaoAJWPYqxK', 'BxBRlYVBq3vmuT6vi53cJnq6GmMigElW', '_3x5Rsb0p6rXVnHCDiN6NfA8GpTArbqyU', 'GldedK7ictWe79oyGIQFDhwpg4fKILDjgjcU4U1nyLvHLWt4OwjUjaw81oKr1nJU', 'liIS3PjcLBmkSxmbfnIj4Nb16vVY5T1ney4VPHHAOIuTuDcMogimi24BfyJlM6ax'
                    Source: SystemUser.exe.0.dr, M5lnys9o6IDNdHMVARSFPRqdPJ5HEJXcfH7CfOnGfP5JvnF5nvJbpzQa97EUaFP3RRf8OO4dKzJHT81VIZ.csHigh entropy of concatenated method names: 'CswwROom758rEddwGRbYU4PfHZr4ZjsXX6QLSiSJphogFn41w9ngR12dxT5gqwSuzIuChImMpDPAiVOF13', 'M0MnxlGw2yta2oFeaw82hmGPK6SMk5Q4QMIyFm4BebVUwe9LGvQZlrtCLMQBF4r333puehuMFcRQgBLSFt', 'eBAx6YC53jHJV6eOum7pJb4bbRNXWzIsO1g5c3f93uMeaSCIqqMrqkkOzKR9L8ge2HqpDpbDnyHlLj8qNU', 'TFwoLNsH9Gihjh3rjrwCsL3scay3nyJeaZVUKPbXgZVdmeInsIvmz5b2XHVaIkEao4TcQnNTzq5nS9Zu1a', 'PcmspIASH1BpbrsRTn1GfmKr8gPZwEmnF', 'kueIj5KrB5Cq9A0tHWJkPO3ATb2fl5gab', 'OYhq2IskHrH6pppd6xFVCauLAQvLfahTi', 'H5Ukqzh5ds156W4p0IVsXSGycpM5RYCd9', '_2xBM63SNiYlKcb7g7RIRLRRWtYZzpNQbO', 'bPGvYizmFP12FHfXlR3CyuYKFleS0qZ5L'
                    Source: SystemUser.exe.0.dr, 5njIlfOWWD34q6q4hhViUMoznrsghikwR5mIoOMwf09gSEXU5slzvTqvrJL7RGULTsPS5gyKSLxXnbpOPQ.csHigh entropy of concatenated method names: 'FDOR0VNhC1xIyxpHY6sAxDnAMj2BAafHfTtYufY4I0j0gQSMt6ItoL2NO1tsbfXD3FRDHTFv7weC02sZCN', 'pv7HA3D1zs3YFAi37WxJSiZA', '_0b9T6pJqjH1bCTHWxfazhCki', 'YvN3WJSZamcT71LH09XOz9s6', 'zfvzOx8Iwrke7NMHj9BfgdRo', 'd0FpsAD7Pz2BmOp2bnKI91NH', 'evXyN4G6IUJMXH4IGBKJZ3cL', 'cZ9fcrKk4pUJC4ZQynRQNpnZ', '_3JHYfhemvl9d9dt4h2pfwsO0', 'a03XnLnbKaeqNMuHf6Kpi2wL'
                    Source: SystemUser.exe.0.dr, C99eak6kf4CFZXWqst3XYEOW8nD2rEsw5RRZPX0dDXlQTgYhQhlVpprjOFlgLLcI.csHigh entropy of concatenated method names: 'VP6m5tIaDwMw294mVzCVExu4YlpvSdJ3cPrp6PLvPKLbqZbZ1E93FFFwOv8YGYOo', 'sPfKm83KgafEJOPO', '_29bb85gMyraJABWz', '_5jd9HgYAjnFvon1R', 'ioWh8wh8XIF7ahYV'
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeFile created: C:\Users\user\AppData\Roaming\SystemUser.exeJump to dropped file
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemUserJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SystemUserJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: 7LwVrYH7sy.exe, 00000000.00000002.2499295314.00000000034B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: 7LwVrYH7sy.exe, SystemUser.exe.0.drBinary or memory string: SBIEDLL.DLLSHKAWOMIWIDCTQOX978RKHQU1X4XGPXQJP0ZF2W5DZSZJUKF0YKE5PBBCVPSW2SEV9HQMFX7HNSVFISLVBVM
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeMemory allocated: 14F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeMemory allocated: 1B4B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeMemory allocated: 1050000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeMemory allocated: 1ACF0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeMemory allocated: 17F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeMemory allocated: 1B020000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeWindow / User API: threadDelayed 6215Jump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeWindow / User API: threadDelayed 3620Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3643Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6096Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7972Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1648Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7831Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1876Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7919
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1751
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exe TID: 6844Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2436Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4324Thread sleep count: 7972 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5940Thread sleep count: 1648 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6412Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1588Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2348Thread sleep count: 7919 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2348Thread sleep count: 1751 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4716Thread sleep time: -4611686018427385s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exe TID: 6912Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exe TID: 7132Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeThread delayed: delay time: 922337203685477
                    Source: SystemUser.exe.0.drBinary or memory string: vmware
                    Source: 7LwVrYH7sy.exe, 00000000.00000002.2537282311.000000001C237000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeCode function: 0_2_00007FFAACCA7581 CheckRemoteDebuggerPresent,0_2_00007FFAACCA7581
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe'
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SystemUser.exe'
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SystemUser.exe'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe'
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7LwVrYH7sy.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SystemUser.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeQueries volume information: C:\Users\user\Desktop\7LwVrYH7sy.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeQueries volume information: C:\Users\user\AppData\Roaming\SystemUser.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\SystemUser.exeQueries volume information: C:\Users\user\AppData\Roaming\SystemUser.exe VolumeInformation
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: 7LwVrYH7sy.exe, 00000000.00000002.2537282311.000000001C237000.00000004.00000020.00020000.00000000.sdmp, 7LwVrYH7sy.exe, 00000000.00000002.2537282311.000000001C2EB000.00000004.00000020.00020000.00000000.sdmp, 7LwVrYH7sy.exe, 00000000.00000002.2493455938.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, 7LwVrYH7sy.exe, 00000000.00000002.2537282311.000000001C286000.00000004.00000020.00020000.00000000.sdmp, 7LwVrYH7sy.exe, 00000000.00000002.2537282311.000000001C29E000.00000004.00000020.00020000.00000000.sdmp, 7LwVrYH7sy.exe, 00000000.00000002.2537282311.000000001C2E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\7LwVrYH7sy.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: 7LwVrYH7sy.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.7LwVrYH7sy.exe.fa0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1241620548.0000000000FA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2499295314.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 7LwVrYH7sy.exe PID: 4044, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUser.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: 7LwVrYH7sy.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.7LwVrYH7sy.exe.fa0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1241620548.0000000000FA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2499295314.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 7LwVrYH7sy.exe PID: 4044, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\SystemUser.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation                    		1
                    Registry Run Keys / Startup Folder                    		11
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping541
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    PowerShell                    		1
                    DLL Side-Loading                    		1
                    Registry Run Keys / Startup Folder                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		151
                    Virtualization/Sandbox Evasion                    		Security Account Manager151
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Software Packing                    		DCSync23
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1530279 Sample: 7LwVrYH7sy.exe Startdate: 09/10/2024 Architecture: WINDOWS Score: 100 36 ip-api.com 2->36 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 13 other signatures 2->50 8 7LwVrYH7sy.exe 15 5 2->8         started        13 SystemUser.exe 2->13         started        15 SystemUser.exe 2->15         started        signatures3 process4 dnsIp5 38 ip-api.com 208.95.112.1, 49700, 80 TUT-ASUS United States 8->38 40 147.185.221.18, 14512, 49972, 49973 SALSGIVERUS United States 8->40 34 C:\Users\user\AppData\...\SystemUser.exe, PE32 8->34 dropped 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->52 54 Protects its processes via BreakOnTermination flag 8->54 56 Bypasses PowerShell execution policy 8->56 64 3 other signatures 8->64 17 powershell.exe 23 8->17         started        20 powershell.exe 22 8->20         started        22 powershell.exe 23 8->22         started        24 powershell.exe 8->24         started        58 Antivirus detection for dropped file 13->58 60 Multi AV Scanner detection for dropped file 13->60 62 Machine Learning detection for dropped file 13->62 file6 signatures7 process8 signatures9 42 Loading BitLocker PowerShell Module 17->42 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    7LwVrYH7sy.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    7LwVrYH7sy.exe100%AviraTR/Spy.Gen
                    7LwVrYH7sy.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\SystemUser.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Roaming\SystemUser.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\SystemUser.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://crl.m0%URL Reputationsafe
                    http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    https://aka.ms/pscore680%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://ip-api.com/line/?fields=hostingfalse
                      • URL Reputation: safe
                      		unknown
                      147.185.221.18true
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.1342138642.000001E7CBFFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1425743236.000001F8AA6B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1562025089.000001CF1006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1779445860.00000299A479C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.1630165393.0000029994959000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000008.00000002.1322985233.000001E7BC1B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1375888086.000001F89A868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1469783250.000001CF0022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1630165393.0000029994959000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.1630165393.0000029994959000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000011.00000002.1809781014.00000299ACEAD000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.microsoft.copowershell.exe, 00000008.00000002.1346899622.000001E7D4302000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 00000011.00000002.1779445860.00000299A479C000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://crl.micpowershell.exe, 00000011.00000002.1811285850.00000299ACEF1000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 00000011.00000002.1779445860.00000299A479C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.microsoftupowershell.exe, 0000000F.00000002.1582122264.000001CF79B05000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.1630165393.0000029994959000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://www.microsoft.coApowershell.exe, 00000011.00000002.1811285850.00000299ACEF1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://crl.mpowershell.exe, 0000000F.00000002.1592537143.000001CF7BAC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1590739892.000001CF7B8E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://crl.microsopowershell.exe, 0000000F.00000002.1592537143.000001CF7BAC4000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000008.00000002.1322985233.000001E7BC1B9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1375888086.000001F89A868000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1469783250.000001CF0022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1630165393.0000029994959000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.microsoft.coqpowershell.exe, 0000000C.00000002.1442078517.000001F8B2D24000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://contoso.com/powershell.exe, 00000011.00000002.1779445860.00000299A479C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.1342138642.000001E7CBFFF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1425743236.000001F8AA6B0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1562025089.000001CF1006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1779445860.00000299A479C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.micft.cMicRosofpowershell.exe, 00000011.00000002.1811285850.00000299ACEF1000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://aka.ms/pscore68powershell.exe, 00000008.00000002.1322985233.000001E7BBF91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1375888086.000001F89A641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1469783250.000001CF00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1630165393.0000029994731000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.microsoft.cpowershell.exe, 00000008.00000002.1347646318.000001E7D4494000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name7LwVrYH7sy.exe, 00000000.00000002.2499295314.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1322985233.000001E7BBF91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1375888086.000001F89A641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1469783250.000001CF00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1630165393.0000029994731000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.microsoft.copowershell.exe, 00000008.00000002.1347051029.000001E7D43F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://crl.microspowershell.exe, 00000008.00000002.1347646318.000001E7D445A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  208.95.112.1
                                                  		ip-api.comUnited States
                                                  		53334TUT-ASUStrue
                                                  147.185.221.18
                                                  		unknownUnited States
                                                  		12087SALSGIVERUStrue

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1530279
                                                  Start date and time:2024-10-09 23:08:05 +02:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 6m 26s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:25
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:7LwVrYH7sy.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:98bb8993b66cdc1bab7ea0c412a867bc5ad074c22ce5ac22d2bc96855ca1829f.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.evad.winEXE@15/20@1/2
                                                  EGA Information:
                                                  • Successful, ratio: 14.3%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 75
                                                  • Number of non-executed functions: 9
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target SystemUser.exe, PID 1168 because it is empty
                                                  • Execution Graph export aborted for target SystemUser.exe, PID 6256 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 1912 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 2176 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 3792 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 6052 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                  • VT rate limit hit for: 7LwVrYH7sy.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  00:25:20AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SystemUser C:\Users\user\AppData\Roaming\SystemUser.exe
                                                  00:25:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SystemUser C:\Users\user\AppData\Roaming\SystemUser.exe
                                                  17:09:03API Interceptor57x Sleep call for process: powershell.exe modified
                                                  18:25:19API Interceptor100229x Sleep call for process: 7LwVrYH7sy.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  208.95.112.1p61Wb0tocl.exeGet hashmaliciousXWormBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  sUdsWh0FL4.exeGet hashmaliciousXWormBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  5q4X9fRo4b.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  1yvSMiC8Jt.exeGet hashmaliciousXWormBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                                  • ip-api.com/json
                                                  a3bZQko7Vi.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  Wt7zcwGIYK.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  FUFhVN38a7.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  s6wkPrgsjG.exeGet hashmaliciousAgentTeslaBrowse
                                                  • ip-api.com/line/?fields=hosting
                                                  147.185.221.181c8DbXc5r0.exeGet hashmaliciousXWormBrowse
                                                    6Mt223MA25.exeGet hashmaliciousArrowRATBrowse
                                                      b34J4bxnmN.exeGet hashmaliciousNjratBrowse
                                                        01koiHnedL.exeGet hashmaliciousNjratBrowse
                                                          i231IEP3oh.exeGet hashmaliciousAsyncRATBrowse
                                                            killer.exeGet hashmaliciousXWormBrowse
                                                              system47.exeGet hashmaliciousXWormBrowse
                                                                javaupdate.jarGet hashmaliciousDynamic StealerBrowse
                                                                  javaupdate.jarGet hashmaliciousDynamic StealerBrowse
                                                                    LisectAVT_2403002C_149.exeGet hashmaliciousAsyncRATBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      ip-api.comp61Wb0tocl.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      sUdsWh0FL4.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      5q4X9fRo4b.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 208.95.112.1
                                                                      1yvSMiC8Jt.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                                                      • 208.95.112.1
                                                                      a3bZQko7Vi.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      Wt7zcwGIYK.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                      • 208.95.112.1
                                                                      FUFhVN38a7.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      s6wkPrgsjG.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      SALSGIVERUS432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                                                      • 147.185.221.22
                                                                      5q4X9fRo4b.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 147.185.221.17
                                                                      l18t80u9zg.exeGet hashmaliciousXWormBrowse
                                                                      • 147.185.221.22
                                                                      Windows Defender.exeGet hashmaliciousXWormBrowse
                                                                      • 147.185.221.22
                                                                      x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                                                      • 147.185.221.23
                                                                      e7WMhx18XN.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse
                                                                      • 147.185.221.22
                                                                      SecuriteInfo.com.Trojan.MulDrop28.25270.15094.4444.exeGet hashmaliciousNjratBrowse
                                                                      • 147.185.221.22
                                                                      1c8DbXc5r0.exeGet hashmaliciousXWormBrowse
                                                                      • 147.185.221.18
                                                                      PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                                                      • 147.185.221.21
                                                                      H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                                      • 147.185.221.23
                                                                      TUT-ASUSp61Wb0tocl.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      sUdsWh0FL4.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      5q4X9fRo4b.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 208.95.112.1
                                                                      1yvSMiC8Jt.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                                                      • 208.95.112.1
                                                                      a3bZQko7Vi.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      Wt7zcwGIYK.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                      • 208.95.112.1
                                                                      FUFhVN38a7.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      s6wkPrgsjG.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SystemUser.exe.log

                                                                      Download File
                                                                      Process:C:\Users\user\AppData\Roaming\SystemUser.exe
                                                                      File Type:CSV text
                                                                      Category:dropped
                                                                      Size (bytes):654
                                                                      Entropy (8bit):5.380476433908377
                                                                      Encrypted:false
                                                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):64
                                                                      Entropy (8bit):0.34726597513537405
                                                                      Encrypted:false
                                                                      SSDEEP:3:Nlll:Nll
                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                      Malicious:false
                                                                      Preview:@...e...........................................................

                                                                      C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\7LwVrYH7sy.exe
                                                                      File Type:Generic INItialization configuration [WIN]
                                                                      Category:dropped
                                                                      Size (bytes):58
                                                                      Entropy (8bit):3.598349098128234
                                                                      Encrypted:false
                                                                      SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovX:EFYJKDoWr5FYJKDoP
                                                                      MD5:5362ACB758D5B0134C33D457FCC002D9
                                                                      SHA1:BC56DFFBE17C015DB6676CF56996E29DF426AB92
                                                                      SHA-256:13229E0AD721D53BF9FB50FA66AE92C6C48F2ABB785F9E17A80E224E096028A4
                                                                      SHA-512:3FB6DA9993FBFC1DC3204DC2529FB7D9C6FE4E6F06E6C8E2DC0BE05CD0E990ED2643359F26EC433087C1A54C8E1C87D02013413CE8F4E1A6D2F380BE0F5EB09B
                                                                      Malicious:false
                                                                      Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0hfzizqu.rmg.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3erv4nnn.d32.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aeavc52x.1m4.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ai2ppuo3.anp.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fb2iu3si.jkb.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fm3hdjdv.cn1.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gs35r5w5.msd.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k0ytpx4r.pjw.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lczawbn0.kb5.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mhfma0el.4wn.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oohf1qb0.cik.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_runqekmt.4fe.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u5qdhebu.44o.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vgciao45.m2w.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yc0da4ty.fdn.psm1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yh0hc5hl.axg.ps1

                                                                      Download File
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:ASCII text, with no line terminators
                                                                      Category:dropped
                                                                      Size (bytes):60
                                                                      Entropy (8bit):4.038920595031593
                                                                      Encrypted:false
                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                      Malicious:false
                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                      C:\Users\user\AppData\Roaming\SystemUser.exe

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\7LwVrYH7sy.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):71680
                                                                      Entropy (8bit):5.981660184162922
                                                                      Encrypted:false
                                                                      SSDEEP:1536:uhMvu8rbNS8Z5V4Dt9Brzp1IbRNoMOrk6gkVxOAzPFD1uPb:RwACXr0bRvoxOI9Dwj
                                                                      MD5:4F99E5E92E4EB0D0FA2AA397D5860CE2
                                                                      SHA1:4A22AD6D61EC0430F49ADDAFBC10F0124D125C40
                                                                      SHA-256:98BB8993B66CDC1BAB7EA0C412A867BC5AD074C22CE5AC22D2BC96855CA1829F
                                                                      SHA-512:B4E1002A1883F2849B89B0BB818B49D3A56E69CCB65D27CD571611FB7EAC86DD0E3A14EB33249F629C3BEB7F3BAB0E39D968E67DB44856ABB061FA594610FC54
                                                                      Malicious:true
                                                                      Yara Hits:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\SystemUser.exe, Author: Joe Security
                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SystemUser.exe, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\SystemUser.exe, Author: ditekSHen
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 79%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g.............................-... ...@....@.. ....................................@..................................,..W....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........`..........&.....................................................(....*.r...p*. E/..*..(....*.r3..p*. .=..*.s.........s.........s.........s.........*.r...p*. .d..*.r...p*. .C..*.r/..p*. .(..*.r...p*. .~Z.*.r...p*. ....*..((...*.r...p*. ...*.rM..p*. ..e.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Q...*"(....+.*&(....&+.*.+5sc... .... .'..od...(,...~....-.(_...(Q...~....oe...&.-.*.r[..p*. .R..*.r...p*. *p{.*.r...p*.r...p*.r-..p*. /?..*.r...p*.rW..p*. .G%.*.r...p*. .

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):5.981660184162922
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      File name:7LwVrYH7sy.exe
                                                                      File size:71'680 bytes
                                                                      MD5:4f99e5e92e4eb0d0fa2aa397d5860ce2
                                                                      SHA1:4a22ad6d61ec0430f49addafbc10f0124d125c40
                                                                      SHA256:98bb8993b66cdc1bab7ea0c412a867bc5ad074c22ce5ac22d2bc96855ca1829f
                                                                      SHA512:b4e1002a1883f2849b89b0bb818b49d3a56e69ccb65d27cd571611fb7eac86dd0e3a14eb33249f629c3beb7f3bab0e39d968e67db44856abb061fa594610fc54
                                                                      SSDEEP:1536:uhMvu8rbNS8Z5V4Dt9Brzp1IbRNoMOrk6gkVxOAzPFD1uPb:RwACXr0bRvoxOI9Dwj
                                                                      TLSH:B7637D2C7BF50526E5FFAFB549F13256CB39B7139803D21F24C9018A1727A88CE616E6
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................-... ...@....@.. ....................................@................................

                                                                      File Icon

                                                                      Icon Hash:00928e8e8686b000

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x412d2e
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x670692EC [Wed Oct 9 14:27:56 2024 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x12cd40x57.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x4ce.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000x10d340x10e004fb82213fa990dcf15935c6f3719c77dFalse0.5992910879629629data6.057667470683641IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x140000x4ce0x600f9052177c59fad11b6e11866b69a673fFalse0.375data3.726864092899557IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x160000xc0x200558988f33af3d4ffefa15644bc8f05c1False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_VERSION0x140a00x244data0.4724137931034483
                                                                      RT_MANIFEST0x142e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                      2024-10-09T23:10:35.458943+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749973147.185.221.1814512TCP

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Oct 9, 2024 23:09:03.393064022 CEST4970080192.168.2.7208.95.112.1
                                                                      Oct 9, 2024 23:09:03.398904085 CEST8049700208.95.112.1192.168.2.7
                                                                      Oct 9, 2024 23:09:03.398993015 CEST4970080192.168.2.7208.95.112.1
                                                                      Oct 9, 2024 23:09:03.400054932 CEST4970080192.168.2.7208.95.112.1
                                                                      Oct 9, 2024 23:09:03.405427933 CEST8049700208.95.112.1192.168.2.7
                                                                      Oct 9, 2024 23:09:03.879553080 CEST8049700208.95.112.1192.168.2.7
                                                                      Oct 9, 2024 23:09:03.926649094 CEST4970080192.168.2.7208.95.112.1
                                                                      Oct 9, 2024 23:09:42.978125095 CEST8049700208.95.112.1192.168.2.7
                                                                      Oct 9, 2024 23:09:42.978192091 CEST4970080192.168.2.7208.95.112.1
                                                                      Oct 9, 2024 23:09:59.327404022 CEST4997214512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:09:59.332432985 CEST1451249972147.185.221.18192.168.2.7
                                                                      Oct 9, 2024 23:09:59.332519054 CEST4997214512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:09:59.378115892 CEST4997214512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:09:59.383088112 CEST1451249972147.185.221.18192.168.2.7
                                                                      Oct 9, 2024 23:10:14.181874037 CEST4997214512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:10:14.186924934 CEST1451249972147.185.221.18192.168.2.7
                                                                      Oct 9, 2024 23:10:20.706348896 CEST1451249972147.185.221.18192.168.2.7
                                                                      Oct 9, 2024 23:10:20.706435919 CEST4997214512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:10:21.599416018 CEST4997214512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:10:21.601445913 CEST4997314512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:10:21.604351997 CEST1451249972147.185.221.18192.168.2.7
                                                                      Oct 9, 2024 23:10:21.606450081 CEST1451249973147.185.221.18192.168.2.7
                                                                      Oct 9, 2024 23:10:21.606532097 CEST4997314512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:10:21.637734890 CEST4997314512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:10:21.642729044 CEST1451249973147.185.221.18192.168.2.7
                                                                      Oct 9, 2024 23:10:35.458942890 CEST4997314512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:10:35.463922024 CEST1451249973147.185.221.18192.168.2.7
                                                                      Oct 9, 2024 23:10:43.003947973 CEST1451249973147.185.221.18192.168.2.7
                                                                      Oct 9, 2024 23:10:43.004267931 CEST4997314512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:10:43.898916006 CEST4970080192.168.2.7208.95.112.1
                                                                      Oct 9, 2024 23:10:44.211946011 CEST4970080192.168.2.7208.95.112.1
                                                                      Oct 9, 2024 23:10:44.599560976 CEST4997314512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:10:44.601691961 CEST4997414512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:10:44.604450941 CEST1451249973147.185.221.18192.168.2.7
                                                                      Oct 9, 2024 23:10:44.606674910 CEST1451249974147.185.221.18192.168.2.7
                                                                      Oct 9, 2024 23:10:44.606754065 CEST4997414512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:10:44.635519981 CEST4997414512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:10:44.640613079 CEST1451249974147.185.221.18192.168.2.7
                                                                      Oct 9, 2024 23:10:44.817991018 CEST4970080192.168.2.7208.95.112.1
                                                                      Oct 9, 2024 23:10:46.021274090 CEST4970080192.168.2.7208.95.112.1
                                                                      Oct 9, 2024 23:10:48.427273035 CEST4970080192.168.2.7208.95.112.1
                                                                      Oct 9, 2024 23:10:53.232765913 CEST4970080192.168.2.7208.95.112.1
                                                                      Oct 9, 2024 23:10:55.740187883 CEST4997414512192.168.2.7147.185.221.18
                                                                      Oct 9, 2024 23:10:55.746874094 CEST1451249974147.185.221.18192.168.2.7
                                                                      Oct 9, 2024 23:11:02.833602905 CEST4970080192.168.2.7208.95.112.1
                                                                      Oct 9, 2024 23:11:06.003725052 CEST1451249974147.185.221.18192.168.2.7
                                                                      Oct 9, 2024 23:11:06.003968954 CEST4997414512192.168.2.7147.185.221.18

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Oct 9, 2024 23:09:03.376687050 CEST5376153192.168.2.71.1.1.1
                                                                      Oct 9, 2024 23:09:03.384556055 CEST53537611.1.1.1192.168.2.7

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Oct 9, 2024 23:09:03.376687050 CEST192.168.2.71.1.1.10x46e9Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Oct 9, 2024 23:09:03.384556055 CEST1.1.1.1192.168.2.70x46e9No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • ip-api.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.749700208.95.112.1804044C:\Users\user\Desktop\7LwVrYH7sy.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Oct 9, 2024 23:09:03.400054932 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                      Host: ip-api.com
                                                                      Connection: Keep-Alive
                                                                      Oct 9, 2024 23:09:03.879553080 CEST175INHTTP/1.1 200 OK
                                                                      Date: Wed, 09 Oct 2024 21:09:03 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 6
                                                                      Access-Control-Allow-Origin: *
                                                                      X-Ttl: 60
                                                                      X-Rl: 44
                                                                      Data Raw: 66 61 6c 73 65 0a
                                                                      Data Ascii: false


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:17:08:58
                                                                      Start date:09/10/2024
                                                                      Path:C:\Users\user\Desktop\7LwVrYH7sy.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\Desktop\7LwVrYH7sy.exe"
                                                                      Imagebase:0xfa0000
                                                                      File size:71'680 bytes
                                                                      MD5 hash:4F99E5E92E4EB0D0FA2AA397D5860CE2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1241620548.0000000000FA2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1241620548.0000000000FA2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2499295314.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:low
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:8
                                                                      Start time:17:09:02
                                                                      Start date:09/10/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\7LwVrYH7sy.exe'
                                                                      Imagebase:0x7ff741d30000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:9
                                                                      Start time:17:09:03
                                                                      Start date:09/10/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:12
                                                                      Start time:17:09:09
                                                                      Start date:09/10/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7LwVrYH7sy.exe'
                                                                      Imagebase:0x7ff741d30000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:13
                                                                      Start time:17:09:09
                                                                      Start date:09/10/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:15
                                                                      Start time:17:09:19
                                                                      Start date:09/10/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\SystemUser.exe'
                                                                      Imagebase:0x7ff741d30000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:16
                                                                      Start time:17:09:19
                                                                      Start date:09/10/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:17
                                                                      Start time:18:24:56
                                                                      Start date:09/10/2024
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SystemUser.exe'
                                                                      Imagebase:0x7ff741d30000
                                                                      File size:452'608 bytes
                                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:18
                                                                      Start time:18:24:56
                                                                      Start date:09/10/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff75da10000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:22
                                                                      Start time:18:25:28
                                                                      Start date:09/10/2024
                                                                      Path:C:\Users\user\AppData\Roaming\SystemUser.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\AppData\Roaming\SystemUser.exe"
                                                                      Imagebase:0xa10000
                                                                      File size:71'680 bytes
                                                                      MD5 hash:4F99E5E92E4EB0D0FA2AA397D5860CE2
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\SystemUser.exe, Author: Joe Security
                                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\SystemUser.exe, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\SystemUser.exe, Author: ditekSHen
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Avira
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      • Detection: 79%, ReversingLabs
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:23
                                                                      Start time:18:25:36
                                                                      Start date:09/10/2024
                                                                      Path:C:\Users\user\AppData\Roaming\SystemUser.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:"C:\Users\user\AppData\Roaming\SystemUser.exe"
                                                                      Imagebase:0xe10000
                                                                      File size:71'680 bytes
                                                                      MD5 hash:4F99E5E92E4EB0D0FA2AA397D5860CE2
                                                                      Has elevated privileges:false
                                                                      Has administrator privileges:false
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:22.3%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:33.3%
                                                                        Total number of Nodes:9
                                                                        Total number of Limit Nodes:0

                                                                        Executed Functions

                                                                        Function 00007FFAACCA7581 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 328 7ffaacca7581-7ffaacca763d CheckRemoteDebuggerPresent 331 7ffaacca7645-7ffaacca7688 328->331 332 7ffaacca763f 328->332 332->331
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2543857163.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffaacca0000_7LwVrYH7sy.jbxd
                                                                        Similarity
                                                                        • API ID: CheckDebuggerPresentRemote
                                                                        • String ID:
                                                                        • API String ID: 3662101638-0
                                                                        • Opcode ID: 572d5706000a379a8e304ee5c1b0a33fd9596b4a06112a03ecd35779b3ccb70e
                                                                        • Instruction ID: e51d069a6a2a5e2b3bdccc1a74a096153520444b4bdc424b268cb540db681c77
                                                                        • Opcode Fuzzy Hash: 572d5706000a379a8e304ee5c1b0a33fd9596b4a06112a03ecd35779b3ccb70e
                                                                        • Instruction Fuzzy Hash: 0331007180875C8FCB58DF68C84ABE97BE0EF65321F0442AED489D7252DB34A846CB91
                                                                        Function 00007FFAACCA1C26 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 779 7ffaacca1c26-7ffaacca1d60 792 7ffaacca1d6a-7ffaacca1d6b 779->792 793 7ffaacca1d72-7ffaacca1d8e 792->793 795 7ffaacca1d90-7ffaacca1d93 793->795 796 7ffaacca1d9c-7ffaacca1dbf 795->796
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2543857163.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffaacca0000_7LwVrYH7sy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: r6
                                                                        • API String ID: 0-2984296541
                                                                        • Opcode ID: c58ac0e35536ace93fc2d74b516b438f124b9e2b370641b016174eb2252d49d1
                                                                        • Instruction ID: e3aa24d99c8babcba4bb1716e813b95b0f76ff73116ae6fdee18641ee7aaec35
                                                                        • Opcode Fuzzy Hash: c58ac0e35536ace93fc2d74b516b438f124b9e2b370641b016174eb2252d49d1
                                                                        • Instruction Fuzzy Hash: 7951D35160D7C50FE386A77898696657FD6DF8B220F0901FBE08DC71A3DD588C06C352
                                                                        Function 00007FFAACCA5BC6 Relevance: .5, Instructions: 472COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2543857163.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffaacca0000_7LwVrYH7sy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 99285ee9801d5dfe73e074a2a4f96415a616332e6a8c7870e4d3d25c0962f1fa
                                                                        • Instruction ID: 7e9336c1d28b506d83586fee34e40a89537dc7f58328da4079e0275ce47a29ed
                                                                        • Opcode Fuzzy Hash: 99285ee9801d5dfe73e074a2a4f96415a616332e6a8c7870e4d3d25c0962f1fa
                                                                        • Instruction Fuzzy Hash: BFF1A570919A8D8FEFA8DF28C8597E937D1FF59310F04826EE84DC7295CB3899458B81
                                                                        Function 00007FFAACCA6972 Relevance: .5, Instructions: 458COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2543857163.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffaacca0000_7LwVrYH7sy.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7a097218e1adf1933b1eb324a2100b16cee249e74c13e026ab924fe1be316e6e
                                                                        • Instruction ID: e8633a852a04f2d220e71b2e52254fabef83133745357e9c39e7855a75bfb3ee
                                                                        • Opcode Fuzzy Hash: 7a097218e1adf1933b1eb324a2100b16cee249e74c13e026ab924fe1be316e6e
                                                                        • Instruction Fuzzy Hash: F1E1B370908A4D8FEBA8DF28C8597E977E2EF55310F04826AD84DC7291CF78E8458BC1
                                                                        Function 00007FFAACCA98A8 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 314 7ffaacca98a8-7ffaacca98af 315 7ffaacca98ba-7ffaacca992d 314->315 316 7ffaacca98b1-7ffaacca98b9 314->316 320 7ffaacca9933-7ffaacca9940 315->320 321 7ffaacca99b9-7ffaacca99bd 315->321 316->315 322 7ffaacca9942-7ffaacca997f SetWindowsHookExW 320->322 321->322 324 7ffaacca9987-7ffaacca99b8 322->324 325 7ffaacca9981 322->325 325->324
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2543857163.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffaacca0000_7LwVrYH7sy.jbxd
                                                                        Similarity
                                                                        • API ID: HookWindows
                                                                        • String ID:
                                                                        • API String ID: 2559412058-0
                                                                        • Opcode ID: 1b666370672fde84435bfa6d2f90f07565b2dd4c0d92ae1630379015a0e66829
                                                                        • Instruction ID: 673f2fb90dacbd175057d9a95b0faa9e0f22b4b96c8586208de0d7adb8ebcdf6
                                                                        • Opcode Fuzzy Hash: 1b666370672fde84435bfa6d2f90f07565b2dd4c0d92ae1630379015a0e66829
                                                                        • Instruction Fuzzy Hash: A841097091CA5C8FEB58DF68D80A6F9BBE1EF55321F00427ED00DC3292CA64A80687C1
                                                                        Function 00007FFAACCA870A Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 334 7ffaacca870a-7ffaacca9460 RtlSetProcessIsCritical 338 7ffaacca9462 334->338 339 7ffaacca9468-7ffaacca949d 334->339 338->339
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.2543857163.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7ffaacca0000_7LwVrYH7sy.jbxd
                                                                        Similarity
                                                                        • API ID: CriticalProcess
                                                                        • String ID:
                                                                        • API String ID: 2695349919-0
                                                                        • Opcode ID: e0e82dd2f78b65dc04b15450898fb28dd8fa7fff9893fb57d277e5c494d8a125
                                                                        • Instruction ID: d576ca14d58c9134ec3f894ceace9b9e13854f70e171ed07d88f9c14f8f350be
                                                                        • Opcode Fuzzy Hash: e0e82dd2f78b65dc04b15450898fb28dd8fa7fff9893fb57d277e5c494d8a125
                                                                        • Instruction Fuzzy Hash: FC31C271908A188FDB28DF98D849BF9BBF0EF55311F14412EE08AD3691DB74A846CB91

                                                                        Executed Functions

                                                                        Function 00007FFAACD76605 Relevance: .5, Instructions: 454COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1349713293.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ffaacd70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 06113082401ac2b291c98462c91b39a885aada3d1f57571c388c3ac039abc8fe
                                                                        • Instruction ID: 97d65f4f9015d2458a7459db8e1fa454e85e5d63c4799f904ead6497f29fc691
                                                                        • Opcode Fuzzy Hash: 06113082401ac2b291c98462c91b39a885aada3d1f57571c388c3ac039abc8fe
                                                                        • Instruction Fuzzy Hash: 09D148A1E0E79A8FF7659B6888555B97FA0EF46310B0441FEE45DC70D3EA28DC0A83D1
                                                                        Function 00007FFAACD74009 Relevance: .4, Instructions: 388COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1349713293.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ffaacd70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ae064da37210a6ce31d7e5def51c63c3b1a29902ee90d5a2445bdfef8ace8ebc
                                                                        • Instruction ID: 4d61f47e0f038a72fc67abd3c69e69a645bdb6d2dd8a7ff3b5981f0ea9fec9c0
                                                                        • Opcode Fuzzy Hash: ae064da37210a6ce31d7e5def51c63c3b1a29902ee90d5a2445bdfef8ace8ebc
                                                                        • Instruction Fuzzy Hash: 4EB10462A0EB968FF397972858195B53FE1DF97220B0941FBD09DC7193DE28DC0A8781
                                                                        Function 00007FFAACD74370 Relevance: .1, Instructions: 147COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1349713293.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ffaacd70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 16df4927a25088ea22326b028c2102082101ec218b823eae5f4b8b2acabb0334
                                                                        • Instruction ID: 081dcfbdbd754df88fef0ceb9ab7a8377dbb9bea4f369602b095926e05c592ef
                                                                        • Opcode Fuzzy Hash: 16df4927a25088ea22326b028c2102082101ec218b823eae5f4b8b2acabb0334
                                                                        • Instruction Fuzzy Hash: 66412572B0EA598FF7A6D76C94156B47BD1EF42220B4845BED06DC7483EE24EC1887C1
                                                                        Function 00007FFAACB8E380 Relevance: .1, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1348846878.00007FFAACB8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB8D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ffaacb8d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3a734341d90fd43170b4588f493972abe671d77081637049f14fcb9b8a4cbefe
                                                                        • Instruction ID: 403f630a5e74da276d76fded151b56a1f4fe4162f5f355181e89b7b0d0820b17
                                                                        • Opcode Fuzzy Hash: 3a734341d90fd43170b4588f493972abe671d77081637049f14fcb9b8a4cbefe
                                                                        • Instruction Fuzzy Hash: 2641E37140EBC49FE7569B28D8459623FB0EF53320B1545EFD08CCB1A3D625E84AC792
                                                                        Function 00007FFAACCA9778 Relevance: .1, Instructions: 119COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1349282646.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ffaacca0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4e4e562d87a36a4b6e4b3d44eae903937f53840e77db2bb949b64649fdffe934
                                                                        • Instruction ID: c153671cfa7ca6fae8cb03c0f9cc3b96f66081ca1dc1b0033a414684a2927904
                                                                        • Opcode Fuzzy Hash: 4e4e562d87a36a4b6e4b3d44eae903937f53840e77db2bb949b64649fdffe934
                                                                        • Instruction Fuzzy Hash: F131A27191CB488FDB1C9B5CA84A6B97BE1FB99711F00822FE44993251CB70A8558BC2
                                                                        Function 00007FFAACD740BF Relevance: .1, Instructions: 95COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1349713293.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ffaacd70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c15b663503d1015119cf35db882d967827be94b844c8b1dd756b97391fbc8e30
                                                                        • Instruction ID: 90b4192082a5f6510138720217c448998682ad1fb9b36294266f8dc9ff174ddd
                                                                        • Opcode Fuzzy Hash: c15b663503d1015119cf35db882d967827be94b844c8b1dd756b97391fbc8e30
                                                                        • Instruction Fuzzy Hash: 30210972B0EAA78FF7A6EB1C44555746AC1DF52210B8980BAC56DC75D3DE38DC0C8B81
                                                                        Function 00007FFAACCAA64B Relevance: .1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1349282646.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ffaacca0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8220d9baf03dc6d811bafe1bea5c7d8e95e3b193f1d035c1ac3f930c93907207
                                                                        • Instruction ID: 4fd580eb7c4a26bc5e81808fa4d3b483818135b34f9061aa348d477d8c468f29
                                                                        • Opcode Fuzzy Hash: 8220d9baf03dc6d811bafe1bea5c7d8e95e3b193f1d035c1ac3f930c93907207
                                                                        • Instruction Fuzzy Hash: DD21807190CA4C8FEB58DF9CD84A7F97BE0EB99321F00812FD449D3251DA70945ACB91
                                                                        Function 00007FFAACD743BC Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1349713293.00007FFAACD70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD70000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ffaacd70000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6e5a365f8a15412ed09ba4942f95d62e370423964dccc0c2203388aa141b04e9
                                                                        • Instruction ID: 6bcf39a16ce78b72bed72f69c77c2bc176da2bf1706781b6b24c4cb9d1d04040
                                                                        • Opcode Fuzzy Hash: 6e5a365f8a15412ed09ba4942f95d62e370423964dccc0c2203388aa141b04e9
                                                                        • Instruction Fuzzy Hash: 5B110672A0E5A58FF7A6D76C84545B47FD1EF0222474940FAD16DC7493DE28EC188BC1
                                                                        Function 00007FFAACCA33B5 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1349282646.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ffaacca0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                        • Instruction ID: 141d00dcf02e0b8f29e4104d0b8054a5580f9ba0704c2e0073df697dd715e98f
                                                                        • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                                        • Instruction Fuzzy Hash: 1D01447115CB088FD744EF0CE455AA5B7E0FB99364F10056DE58AC3661DA26E882CB45
                                                                        Function 00007FFAACCAA2A9 Relevance: .0, Instructions: 26COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1349282646.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ffaacca0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 459f6497fc2a8922dc70b1a0aeab7f2606eb71d42cbffa15e7f1a8ad927bd768
                                                                        • Instruction ID: c3a7ac04b45980e567e4bc4b78ce6d732c0e70e888936679dc18669a94ba8b0c
                                                                        • Opcode Fuzzy Hash: 459f6497fc2a8922dc70b1a0aeab7f2606eb71d42cbffa15e7f1a8ad927bd768
                                                                        • Instruction Fuzzy Hash: 72E09A35804A4C8F9B48EF18C81A4E97FE0FB68201B01429AE81DC3120DB319A68CBC2

                                                                        Non-executed Functions

                                                                        Function 00007FFAACCA8995 Relevance: 5.1, Strings: 4, Instructions: 144COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1349282646.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ffaacca0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: O_^$O_^$O_^$O_^
                                                                        • API String ID: 0-109995703
                                                                        • Opcode ID: ec05e94c3d8c0134a6eb152559158272ae398cfdf9b1448a5dca8503acd2f336
                                                                        • Instruction ID: 07ae7f9bb060d07a3344929fb573a4cd9d85eddbcdff3992f0393fd36804d27b
                                                                        • Opcode Fuzzy Hash: ec05e94c3d8c0134a6eb152559158272ae398cfdf9b1448a5dca8503acd2f336
                                                                        • Instruction Fuzzy Hash: 3241C19290F7C38FF35A4B2948691A12FE2EF63765B0D41F2C08D8B193ED09594A83D2
                                                                        Function 00007FFAACCA89FA Relevance: 5.1, Strings: 4, Instructions: 103COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000008.00000002.1349282646.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_8_2_7ffaacca0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: O_^$O_^$O_^$O_^
                                                                        • API String ID: 0-109995703
                                                                        • Opcode ID: 0ec8a06cdb27adb866e9b7484a151cf659da8f087b82c6d9a87b3e5581306a06
                                                                        • Instruction ID: cba87c66b3c55b1f003532213523a860469af6593143dd9f0901e6b8ced6c8af
                                                                        • Opcode Fuzzy Hash: 0ec8a06cdb27adb866e9b7484a151cf659da8f087b82c6d9a87b3e5581306a06
                                                                        • Instruction Fuzzy Hash: D131C893A0E7C3CBF7564B1948691E12FD2EF6376570D41F2C08D8A583ED196D4A42D1

                                                                        Executed Functions

                                                                        Function 00007FFAACD86605 Relevance: .5, Instructions: 453COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.1445567118.00007FFAACD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ffaacd80000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c4a5e46eb213d1374a65ccca82e314f8a27951656a5b18968df821a808e66079
                                                                        • Instruction ID: 5ad960b86a6878dfe30702134eeb70ed422c8533e4e66a770d6f918bacd694dc
                                                                        • Opcode Fuzzy Hash: c4a5e46eb213d1374a65ccca82e314f8a27951656a5b18968df821a808e66079
                                                                        • Instruction Fuzzy Hash: 9DD158A1A0E78A8FF766AB6848555B5BFA0EF06320F4401FED45DC70D3DA18D90A83D1
                                                                        Function 00007FFAACCB9592 Relevance: .4, Instructions: 389COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.1444809112.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ffaaccb0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 67cc158c9c7fbf917bd64fa0077017059d6c90ba86c7e627b20ceecc2399578d
                                                                        • Instruction ID: a051a16eb19ee114ea805a20e4ba8a6352ea732285cfcdcaf450567e2e3990b5
                                                                        • Opcode Fuzzy Hash: 67cc158c9c7fbf917bd64fa0077017059d6c90ba86c7e627b20ceecc2399578d
                                                                        • Instruction Fuzzy Hash: C9C1F9A290EBC68FF3569BAD5C655E97FB0EF53210F1841B7D48C8B193DD18A80983D2
                                                                        Function 00007FFAACB9EE20 Relevance: .1, Instructions: 125COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.1444080292.00007FFAACB9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ffaacb9d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8a39e077d004e65d6ac397e6acb4fa08dba077e81fe0b761b70accab7e0d819d
                                                                        • Instruction ID: 714d2d57b4e281a93914b0de620ada937415abdd433ae8e88227b3a81e545871
                                                                        • Opcode Fuzzy Hash: 8a39e077d004e65d6ac397e6acb4fa08dba077e81fe0b761b70accab7e0d819d
                                                                        • Instruction Fuzzy Hash: 0441067180EBC48FE7569B29D8419523FF0EF57320B1505EFD088CB1A3D62AE84AC792
                                                                        Function 00007FFAACCBA63C Relevance: .1, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.1444809112.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ffaaccb0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 70dd4f49cd4aa317e44306d524b0edbebee611d3a13601bea3f6ff6ffa3cc103
                                                                        • Instruction ID: dfeb4bb992872f6b59d6e4d656ac989e2370825ed52f8897e337cf796debf731
                                                                        • Opcode Fuzzy Hash: 70dd4f49cd4aa317e44306d524b0edbebee611d3a13601bea3f6ff6ffa3cc103
                                                                        • Instruction Fuzzy Hash: 5F31097180DB8C8FEB59CFA8984A6E97FE0EF56321F0441AFD089C7153D6649809C791
                                                                        Function 00007FFAACCB33B5 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.1444809112.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ffaaccb0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                        • Instruction ID: e2b619141ef1fcec1be8a3c7fe6995b56e1b19d1a77c61dd063c573ac02f6c0a
                                                                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                        • Instruction Fuzzy Hash: 7F01847010CB088FD744EF0CE051AA6B3E0FF89320F10052DE58AC3661DA22E882CB41
                                                                        Function 00007FFAACCBA0FB Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.1444809112.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ffaaccb0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1c8e8c61d729c1c3864cb0051753ce2b9538928ad3302d5844d904ebc1921ed0
                                                                        • Instruction ID: 06bf555ae7f7c41e9d03bab632f5e3348a27e5a2d9104ece8ba5ee15d088fa61
                                                                        • Opcode Fuzzy Hash: 1c8e8c61d729c1c3864cb0051753ce2b9538928ad3302d5844d904ebc1921ed0
                                                                        • Instruction Fuzzy Hash: AFF0F676559B88CFD795DF5CA8660E97F90EF66211B0401A7E18CC7162DA21C80887D1
                                                                        Function 00007FFAACD8414D Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.1445567118.00007FFAACD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ffaacd80000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1705d8186ce217351d153b4b105231ad41de57d43fbe63f50f6026ff71aa788a
                                                                        • Instruction ID: aa6162b80d531396cc22fe250f1b05937d280a9f5f1f80ee0e2ade63d7f73b35
                                                                        • Opcode Fuzzy Hash: 1705d8186ce217351d153b4b105231ad41de57d43fbe63f50f6026ff71aa788a
                                                                        • Instruction Fuzzy Hash: BBF0BE32A0D5048FE7A9EB6CE4458A877E0EF5532071100BBE06DC71A3CE25EC44C780
                                                                        Function 00007FFAACD84400 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.1445567118.00007FFAACD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ffaacd80000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d658ec5fa0b220fb10b431549790600e24ff33cf182f1de18e37a21031466487
                                                                        • Instruction ID: 289bd4198b1279f02b1a7b5551a2d99acab77b3db9c96587909a3fc884d58b29
                                                                        • Opcode Fuzzy Hash: d658ec5fa0b220fb10b431549790600e24ff33cf182f1de18e37a21031466487
                                                                        • Instruction Fuzzy Hash: C6F0E272A0D5488FE7A9EB2CE4958B87BE0FF05320B0100BAE05DC7063DA25EC44C780
                                                                        Function 00007FFAACD841D1 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.1445567118.00007FFAACD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ffaacd80000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                        • Instruction ID: 296876416a085f06d4d3e74e16b8ee2bcb13bfbe78047f05c55245ac62924c45
                                                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                        • Instruction Fuzzy Hash: 66E01A31B0C808CFEAA8DB0CE0509B977E1EB9933171141B7D15EC7561CA22ED559BC0

                                                                        Non-executed Functions

                                                                        Function 00007FFAACCB8945 Relevance: 6.4, Strings: 5, Instructions: 177COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.1444809112.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ffaaccb0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: N_^$N_^$N_^$N_^$N_^
                                                                        • API String ID: 0-2528851458
                                                                        • Opcode ID: 82a9e73c682c5a3061618a83d6a99e04c6f76588994e8a3fb1deaa2bdbdedd4d
                                                                        • Instruction ID: f4a24b3dbfe3ea6352fb852a2539f634c64d77f2d2f3c297beb63186e707043d
                                                                        • Opcode Fuzzy Hash: 82a9e73c682c5a3061618a83d6a99e04c6f76588994e8a3fb1deaa2bdbdedd4d
                                                                        • Instruction Fuzzy Hash: A35181E390F7C28FF75A4BA94C7A1616FD0EF23219B0D41E6C1888B5D3ED19694A43D2
                                                                        Function 00007FFAACCB8BFA Relevance: 6.3, Strings: 5, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.1444809112.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ffaaccb0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: N_^5$N_^8$N_^F$N_^I$N_^K
                                                                        • API String ID: 0-759930175
                                                                        • Opcode ID: 15ba52d150efa61238c18c6929944c20223e5ec03e849fa642a7c1912177b66b
                                                                        • Instruction ID: 3fa02eebaf7beba508b2bf9de6d9e4dc393c93b5291fdbb85a5c591e48238003
                                                                        • Opcode Fuzzy Hash: 15ba52d150efa61238c18c6929944c20223e5ec03e849fa642a7c1912177b66b
                                                                        • Instruction Fuzzy Hash: 2121F2F7B141264E93017BBDAC659E87B84DF9427534942F2D29CCF603DE14608A8AC6
                                                                        Function 00007FFAACCB89F5 Relevance: 5.1, Strings: 4, Instructions: 121COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000C.00000002.1444809112.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_12_2_7ffaaccb0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: N_^$N_^$N_^$N_^
                                                                        • API String ID: 0-3900292545
                                                                        • Opcode ID: 29b3e0e5d9e9ed59c4fb5c88cf92a05b43466f1262a7428a793289548282a449
                                                                        • Instruction ID: 8f02028698774f3347b063e7ebb068b7e5ebea6bc9be8715cd368334d506db2d
                                                                        • Opcode Fuzzy Hash: 29b3e0e5d9e9ed59c4fb5c88cf92a05b43466f1262a7428a793289548282a449
                                                                        • Instruction Fuzzy Hash: 9631B2E3A0FBC3CBF35A479A4C760616FD0EF6321870D42F6C1888A583EC15695B42C2

                                                                        Executed Functions

                                                                        Function 00007FFAACD9660A Relevance: .4, Instructions: 444COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1598352224.00007FFAACD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffaacd90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bbeda4e6993932446ea37fbe8d52d8fac5dc1dcfc27b51af96c543e1ea155d54
                                                                        • Instruction ID: d847e9c36e9f7da171aa9eb2fe8f78f59393e6c9fc97dac5fc4e6219b91487cd
                                                                        • Opcode Fuzzy Hash: bbeda4e6993932446ea37fbe8d52d8fac5dc1dcfc27b51af96c543e1ea155d54
                                                                        • Instruction Fuzzy Hash: 88D16AB9A0E78A8FF7A5AB6848545B5BBE0EF46310B0401FAD46DC74D3E91DDC0A83D1
                                                                        Function 00007FFAACCC9F95 Relevance: .2, Instructions: 199COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1597303583.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffaaccc0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a42e77a85152961807c560219b8bfaa5568b83882dda89d064fff843cc52c437
                                                                        • Instruction ID: 5504ad6fce8348458c5fef2a22cfa7a7fa0c546b8f77afddd0fd9c7cc4eae4f9
                                                                        • Opcode Fuzzy Hash: a42e77a85152961807c560219b8bfaa5568b83882dda89d064fff843cc52c437
                                                                        • Instruction Fuzzy Hash: FB51DCA390E69A8FE7025B6CE8660F93FD0EF5362970C42F3D4DC8A053FD15545A82D5
                                                                        Function 00007FFAACD94073 Relevance: .2, Instructions: 183COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1598352224.00007FFAACD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffaacd90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f09bfeeab487760feeb67572c707fcb769552e3619c2390bb0f5e892f3ac6fc6
                                                                        • Instruction ID: 09b6f3438ee206a41dc9494c10237f2dbd2fc9d32e1df2cbc7d0ddb8eac8b11f
                                                                        • Opcode Fuzzy Hash: f09bfeeab487760feeb67572c707fcb769552e3619c2390bb0f5e892f3ac6fc6
                                                                        • Instruction Fuzzy Hash: FA516B76B0DA468FF799CB1C84116747BE2DF96220B4840BBC15DC7993EE29DC0983C1
                                                                        Function 00007FFAACD94370 Relevance: .1, Instructions: 147COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1598352224.00007FFAACD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffaacd90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ebf894f5e56de2aa70613a732193f08873df1334bfa39b77adbb2b6d5cec5d6a
                                                                        • Instruction ID: 29885e651046183d4c06d494c70977aeccc901096f3b69381c4f214f67f58c92
                                                                        • Opcode Fuzzy Hash: ebf894f5e56de2aa70613a732193f08873df1334bfa39b77adbb2b6d5cec5d6a
                                                                        • Instruction Fuzzy Hash: 9D412772B0EA498FF7A5D77894505B47BD1EF42220B4805FAD15DC7583EE19EC0883C1
                                                                        Function 00007FFAACCC9748 Relevance: .1, Instructions: 134COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1597303583.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffaaccc0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3463b38de6344cd61bf8a719f3685462a09826ab1851c9f46cb35a1aa7da89b9
                                                                        • Instruction ID: e58556fbe07eea3c6562621fbc5a659bc03560edf7cffcbc2936e4abd08d5a30
                                                                        • Opcode Fuzzy Hash: 3463b38de6344cd61bf8a719f3685462a09826ab1851c9f46cb35a1aa7da89b9
                                                                        • Instruction Fuzzy Hash: BE412A7190CB488FEB189F5CA8066B97BE0FB99711F04812FE04D93252DB74E855CBC2
                                                                        Function 00007FFAACBAEF00 Relevance: .1, Instructions: 125COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1596195681.00007FFAACBAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBAD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffaacbad000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: be253fa2b1118f8e8788aec544947b51c6a445f5721d402590954746ec0a7545
                                                                        • Instruction ID: 992547a29defd638c44e3d0e8b67ceb1921b608930c061f7304d0452169b2acc
                                                                        • Opcode Fuzzy Hash: be253fa2b1118f8e8788aec544947b51c6a445f5721d402590954746ec0a7545
                                                                        • Instruction Fuzzy Hash: E441F37140EBC49FE7568B29D8559523FF0EF57220B1905DFD088CB1A3D626E84AC7A2
                                                                        Function 00007FFAACCCA47C Relevance: .1, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1597303583.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffaaccc0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7b18bdced8777f77c586f1100e1efc07da7f698e84946deb6527f12b16db836e
                                                                        • Instruction ID: b3e722958cbc05c482712a86611258667d520ea31f6aa29d91a09f4aa58d47bd
                                                                        • Opcode Fuzzy Hash: 7b18bdced8777f77c586f1100e1efc07da7f698e84946deb6527f12b16db836e
                                                                        • Instruction Fuzzy Hash: A421283190CB4C8FEB59DFAC984A7E97FF0EB96321F04426BD048C7152DA74941ACB91
                                                                        Function 00007FFAACD940BF Relevance: .1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1598352224.00007FFAACD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffaacd90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1296a0be6ac444687c84f44b1a96833e389ac9e6c7043ce0c8b9cad5f169536b
                                                                        • Instruction ID: 923c9898c6454dee5ac8a46ce59f716f5bfd32329b343177c3604ef5b39e756f
                                                                        • Opcode Fuzzy Hash: 1296a0be6ac444687c84f44b1a96833e389ac9e6c7043ce0c8b9cad5f169536b
                                                                        • Instruction Fuzzy Hash: 2B21276AB0EA868FF7A5CB1844555346AE1DF56210B4940BAD16DD79D3EE2DDC0883C0
                                                                        Function 00007FFAACD96806 Relevance: .1, Instructions: 66COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1598352224.00007FFAACD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffaacd90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2b171f8b037a10a18855115ec0c4f2d280341a08078a4b870a428c44cb63c5cc
                                                                        • Instruction ID: 0aa9f4d5d2571ccecae4d023c69094b083da2b70ffb3ff42ebd67f511079f57d
                                                                        • Opcode Fuzzy Hash: 2b171f8b037a10a18855115ec0c4f2d280341a08078a4b870a428c44cb63c5cc
                                                                        • Instruction Fuzzy Hash: E2112665B0E6898FF7A5DB988080578BBA1EF09310F5441BED16DC75C3E91AD80A8390
                                                                        Function 00007FFAACD943BC Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1598352224.00007FFAACD90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD90000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffaacd90000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9ae37a9471b6fab2caf52295aaecda240f4b68a4fdf36b791289b898caff2591
                                                                        • Instruction ID: 8dda6e227a0057bc8c37fc2a9c1ff83887b4bb705c742b96be8f3e18a64572d9
                                                                        • Opcode Fuzzy Hash: 9ae37a9471b6fab2caf52295aaecda240f4b68a4fdf36b791289b898caff2591
                                                                        • Instruction Fuzzy Hash: 4611C176A0E6898FF6A5D72884645B47ED1EF0222074941FAD56DCB893EE1AEC0883C1
                                                                        Function 00007FFAACCC33B5 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1597303583.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffaaccc0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                        • Instruction ID: dab008755a60612cbb32ea5fd331c927475b9437b9f0d942dd88085dbf6fa95e
                                                                        • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                        • Instruction Fuzzy Hash: 1101447115CB088FD744EF0CE455AA6B7E0FB99364F10056DE58AC3661DA26E882CB45

                                                                        Non-executed Functions

                                                                        Function 00007FFAACCC8B69 Relevance: 6.4, Strings: 5, Instructions: 156COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000F.00000002.1597303583.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_15_2_7ffaaccc0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: M_^7$M_^8$M_^?$M_^@$M_^F
                                                                        • API String ID: 0-3108979760
                                                                        • Opcode ID: 43dd885bc72c56606349235e22a064236f8879e366feb70ea6563d5068a587f0
                                                                        • Instruction ID: 50a8808c5b9f80c6519db2d4517ff51d9b80fb87c6e9572e3e32db11e8429f27
                                                                        • Opcode Fuzzy Hash: 43dd885bc72c56606349235e22a064236f8879e366feb70ea6563d5068a587f0
                                                                        • Instruction Fuzzy Hash: 8741F5E3A184298D92027B7CB8059F97B90DF9523978513F6E18CCB083BE15708B86C8

                                                                        Executed Functions

                                                                        Function 00007FFAACD86605 Relevance: .4, Instructions: 448COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1817969642.00007FFAACD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_7ffaacd80000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4b8a3fe5d74b26e5c96d47145cf937b1b1baad3f6bcf7a2cf8b02b4e017534c5
                                                                        • Instruction ID: 7c84a13c6a35d84f2434a5b917471c3c4e97f6903358760ab6435d0dd4fdf0f8
                                                                        • Opcode Fuzzy Hash: 4b8a3fe5d74b26e5c96d47145cf937b1b1baad3f6bcf7a2cf8b02b4e017534c5
                                                                        • Instruction Fuzzy Hash: FDD169A1A0EBCA8FF766AB6848555B5BFA0EF06320F4801FED45DC70D3D918D90A83C1
                                                                        Function 00007FFAACB9ED40 Relevance: .1, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1815447290.00007FFAACB9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB9D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_7ffaacb9d000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e8fc0a8cbaff7ebfd8ec4fa71f02150d0018cd08588e20413ba3e3451c719733
                                                                        • Instruction ID: 25c148b7808c33d42d505a566c0da424197b8fda790aa5bd2f3b05ced368e33b
                                                                        • Opcode Fuzzy Hash: e8fc0a8cbaff7ebfd8ec4fa71f02150d0018cd08588e20413ba3e3451c719733
                                                                        • Instruction Fuzzy Hash: 3041087040EBD48FE7569B29D841A523FF0EF57220B1905DFD088CB1A3D72AE84AC792
                                                                        Function 00007FFAACCB97B1 Relevance: .1, Instructions: 109COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1816879360.00007FFAACCB5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB5000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_7ffaaccb5000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4f3c294ce24bd3ecbaa8b8450ae027e51a10c6d1f4d972a50ba4a65e12458052
                                                                        • Instruction ID: b8143f3611183fe5d1dcb5fce946f65ab99a555af82ad6fcd91fd5f63224cc4c
                                                                        • Opcode Fuzzy Hash: 4f3c294ce24bd3ecbaa8b8450ae027e51a10c6d1f4d972a50ba4a65e12458052
                                                                        • Instruction Fuzzy Hash: B731867091CA4C9FDB1CDB5CD84A6A977E0FB99721F00421FE449D3251DB71A855CBC2
                                                                        Function 00007FFAACCBA4C1 Relevance: .1, Instructions: 85COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1816879360.00007FFAACCB5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB5000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_7ffaaccb5000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 749651aa0569481058bac630d847a9c3680dfd4d183700ce197c6d8387333e6b
                                                                        • Instruction ID: 8ed281fb10381e80fe5d89c39abb651d1dc80bb0d0696a51550ae2cf40771f0e
                                                                        • Opcode Fuzzy Hash: 749651aa0569481058bac630d847a9c3680dfd4d183700ce197c6d8387333e6b
                                                                        • Instruction Fuzzy Hash: 65216371908A0C8FDB58DF9CD84A7E97BE0EB99321F10812FD44DD3156D670A85ACB91
                                                                        Function 00007FFAACCB33B5 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1816879360.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_7ffaaccb0000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                        • Instruction ID: e2b619141ef1fcec1be8a3c7fe6995b56e1b19d1a77c61dd063c573ac02f6c0a
                                                                        • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                        • Instruction Fuzzy Hash: 7F01847010CB088FD744EF0CE051AA6B3E0FF89320F10052DE58AC3661DA22E882CB41
                                                                        Function 00007FFAACCBA0FB Relevance: .0, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1816879360.00007FFAACCB5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB5000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_7ffaaccb5000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a00bc7e112ada56f09dc3da947fe84f2ed1eee37167b22ade0583433f191d0e9
                                                                        • Instruction ID: 708e992d9b46302ac8105bdd7e1baec89fb88af5ac10e8f2db4a71bae938f21f
                                                                        • Opcode Fuzzy Hash: a00bc7e112ada56f09dc3da947fe84f2ed1eee37167b22ade0583433f191d0e9
                                                                        • Instruction Fuzzy Hash: EBF0F676559B88CFD785DF5CA8650E97F90EF66211B0401A7E18CC7162DA21884887D1
                                                                        Function 00007FFAACD8414D Relevance: .0, Instructions: 37COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1817969642.00007FFAACD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_7ffaacd80000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d157a0c924d8f0fd7b645ee1d4eddbe574da443b4b3a21f0b7ba4f6b5cf5112d
                                                                        • Instruction ID: 5c5724193bd0c71c289d7c277bad1350deae70f119d8c796099b62e5273c9f48
                                                                        • Opcode Fuzzy Hash: d157a0c924d8f0fd7b645ee1d4eddbe574da443b4b3a21f0b7ba4f6b5cf5112d
                                                                        • Instruction Fuzzy Hash: 6AF0BE32A0D5048FE7A9EB6CE4458A877E0EF5532071100BBE06DC71A3CE25EC44C780
                                                                        Function 00007FFAACD84400 Relevance: .0, Instructions: 35COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1817969642.00007FFAACD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_7ffaacd80000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3ca0e2356b62d0a59c1f90f093531f78a6bc98004036da5da79f71b3fce6ba86
                                                                        • Instruction ID: 7e65d1092866128dbf100877742952fc0937f773e69200b885ae58433bf26d6a
                                                                        • Opcode Fuzzy Hash: 3ca0e2356b62d0a59c1f90f093531f78a6bc98004036da5da79f71b3fce6ba86
                                                                        • Instruction Fuzzy Hash: 19F0E272A0D5488FE7A5EB2CE4958B87BE0FF05320B0100BAE05DC7063DB25EC44C780
                                                                        Function 00007FFAACD841D1 Relevance: .0, Instructions: 29COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1817969642.00007FFAACD80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACD80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_7ffaacd80000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                        • Instruction ID: 296876416a085f06d4d3e74e16b8ee2bcb13bfbe78047f05c55245ac62924c45
                                                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                        • Instruction Fuzzy Hash: 66E01A31B0C808CFEAA8DB0CE0509B977E1EB9933171141B7D15EC7561CA22ED559BC0

                                                                        Non-executed Functions

                                                                        Function 00007FFAACCB896C Relevance: 6.4, Strings: 5, Instructions: 155COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1816879360.00007FFAACCB5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB5000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_7ffaaccb5000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: N_^$N_^$N_^$N_^$N_^
                                                                        • API String ID: 0-2528851458
                                                                        • Opcode ID: 08f02aabf3cce0c3bea42669b538941a9fee8620f84dcd3203e7bf2fdeaf242b
                                                                        • Instruction ID: 225cbac531762e92c714ed2aad10a5d2a7cd76c2c01f59ea32cd5c5feb4113d5
                                                                        • Opcode Fuzzy Hash: 08f02aabf3cce0c3bea42669b538941a9fee8620f84dcd3203e7bf2fdeaf242b
                                                                        • Instruction Fuzzy Hash: 29419593D0F7C38BF75A47A94C790A56FD0EF6321570D42F6C1988B493ED196A4B8382
                                                                        Function 00007FFAACCB8BFA Relevance: 6.3, Strings: 5, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1816879360.00007FFAACCB5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB5000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_7ffaaccb5000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: N_^5$N_^8$N_^F$N_^I$N_^K
                                                                        • API String ID: 0-759930175
                                                                        • Opcode ID: 23239d7b90cefc8b6c7613284b9219181e9ecf42c16bfb57a40dff7a504e192c
                                                                        • Instruction ID: 3fa02eebaf7beba508b2bf9de6d9e4dc393c93b5291fdbb85a5c591e48238003
                                                                        • Opcode Fuzzy Hash: 23239d7b90cefc8b6c7613284b9219181e9ecf42c16bfb57a40dff7a504e192c
                                                                        • Instruction Fuzzy Hash: 2121F2F7B141264E93017BBDAC659E87B84DF9427534942F2D29CCF603DE14608A8AC6
                                                                        Function 00007FFAACCB89F3 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.1816879360.00007FFAACCB5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB5000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_7ffaaccb5000_powershell.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: N_^$N_^$N_^$N_^
                                                                        • API String ID: 0-3900292545
                                                                        • Opcode ID: 7588a6ee680e5811915a19bab416478b64ec9b27f1abcfd0965f1506cbdc8293
                                                                        • Instruction ID: e99d979d9c6d058e34fab977b6b80fe34eedc435193eb58ede7b48909b7faf58
                                                                        • Opcode Fuzzy Hash: 7588a6ee680e5811915a19bab416478b64ec9b27f1abcfd0965f1506cbdc8293
                                                                        • Instruction Fuzzy Hash: 8431D6D3A0FBC38BF75A47995C760A16FD0EF6321830D42F5C1988B583ED146A4B42C2

                                                                        Executed Functions

                                                                        Function 00007FFAACCD07D3 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1968014041.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: <M_^$I
                                                                        • API String ID: 0-1774059089
                                                                        • Opcode ID: 008a7ab46365c3cbc6167cc9b01d2ee658cfb37b3133399f9385f7762193a837
                                                                        • Instruction ID: 4a234ac99d405b559441a6f3c4547522849770fb34b1ebef222a7fbf4db971cc
                                                                        • Opcode Fuzzy Hash: 008a7ab46365c3cbc6167cc9b01d2ee658cfb37b3133399f9385f7762193a837
                                                                        • Instruction Fuzzy Hash: 834116B1A1D2895FD342EB7CE4659F9BFB1FF86214B4446F6D24CC7293DE2898048741
                                                                        Function 00007FFAACCD0AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1968014041.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 9M_^
                                                                        • API String ID: 0-1708477388
                                                                        • Opcode ID: fcca62b94da22413086c383f5a7dc77c88cfd748d536ced19187e8ca90c51eda
                                                                        • Instruction ID: 7d0b26a71ce83bda2cd7eea4a21a5bd61c85e5d2969f56c3a77b2d8535cb67ab
                                                                        • Opcode Fuzzy Hash: fcca62b94da22413086c383f5a7dc77c88cfd748d536ced19187e8ca90c51eda
                                                                        • Instruction Fuzzy Hash: E36128A6A0961A9EE701BB7CE4456FC7BE0EF85325B0446F7D10CC7183CF68A48687D4
                                                                        Function 00007FFAACCD0E8E Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1968014041.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4M_^
                                                                        • API String ID: 0-2545914641
                                                                        • Opcode ID: 072719c91800873142e16968e5d9ee55f49916d473a3bd43b3fb65b88cdd2be0
                                                                        • Instruction ID: 30be953d43af231b105d63de2bc5a701e62c43f439e6df79828f287b38c6740d
                                                                        • Opcode Fuzzy Hash: 072719c91800873142e16968e5d9ee55f49916d473a3bd43b3fb65b88cdd2be0
                                                                        • Instruction Fuzzy Hash: 2B512562A0E6860FE357A73C98566B93FE5DF87220B0941FBD08DC7193DD1C9C468392
                                                                        Function 00007FFAACCD1C26 Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1968014041.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: r6
                                                                        • API String ID: 0-2984296541
                                                                        • Opcode ID: 6f8039e9a320b888a6b963c7d7867e90f39d241edddb69bccfd63a164e15cb9c
                                                                        • Instruction ID: a3c952e8b3d40be337ae58e96272d37bcf617a647570008c7ec2c316c84004f7
                                                                        • Opcode Fuzzy Hash: 6f8039e9a320b888a6b963c7d7867e90f39d241edddb69bccfd63a164e15cb9c
                                                                        • Instruction Fuzzy Hash: 6F51E351B0E7C50FE38697B898696657FD6DF8B220B0901FBE08DCB1A3DD588C06C352
                                                                        Function 00007FFAACCD0778 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1968014041.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: I
                                                                        • API String ID: 0-3707901625
                                                                        • Opcode ID: aa4ce45b5742861241bc4eba59df464f3e740ecf9921029d4b4e29c27966d123
                                                                        • Instruction ID: 6e75426c228a57ed3602a1d520577916bacc0348cb8897f0156e77cb30362dd7
                                                                        • Opcode Fuzzy Hash: aa4ce45b5742861241bc4eba59df464f3e740ecf9921029d4b4e29c27966d123
                                                                        • Instruction Fuzzy Hash: E0516CA1A0D3855FD342EB3CE4646F9BFA1FF86214B4442F6D28C8B297DE2894088781
                                                                        Function 00007FFAACCD0638 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1968014041.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: r6
                                                                        • API String ID: 0-2984296541
                                                                        • Opcode ID: 88f4cc9575b5efc562e03fbe06247439f56be9e5369d0daee34bcf5085fc7f3d
                                                                        • Instruction ID: 0b250ee28b9c095d72ee4422cc0aae8dead722a1361b8124aa279d2d4b821756
                                                                        • Opcode Fuzzy Hash: 88f4cc9575b5efc562e03fbe06247439f56be9e5369d0daee34bcf5085fc7f3d
                                                                        • Instruction Fuzzy Hash: 7731C661B189494FE798EB7CD46AB79B6C6EFD9211F0406BAE04EC3293DE649C018381
                                                                        Function 00007FFAACCD0D21 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1968014041.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 6
                                                                        • API String ID: 0-1452363761
                                                                        • Opcode ID: bd415657950c523bc004bf1ac248e3587040494cab48348b33df5bea64e75627
                                                                        • Instruction ID: 02a3c03bddd6766e9e69c4e3e2227de7a9fdd8af145b6b00e67c5ff16ca04e66
                                                                        • Opcode Fuzzy Hash: bd415657950c523bc004bf1ac248e3587040494cab48348b33df5bea64e75627
                                                                        • Instruction Fuzzy Hash: DE318591B18A0A5BF745BBBC985A7BC76D6EF99311F0442BBE00DC3193DE68AC458381
                                                                        Function 00007FFAACCD1719 Relevance: .4, Instructions: 376COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1968014041.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2047fe01dc830ef01ec5b4691d7fdb92a4b6c3b4333d8cca5d1006e938c05d8b
                                                                        • Instruction ID: 1a14247a53f6e8055c86155813f6a7d89294cbc77862f6a469274ab61290b95b
                                                                        • Opcode Fuzzy Hash: 2047fe01dc830ef01ec5b4691d7fdb92a4b6c3b4333d8cca5d1006e938c05d8b
                                                                        • Instruction Fuzzy Hash: 80C10971B19A498FEB95EB78C4697BC77A2EF99350B4444B9E10EC32D3DE28D8058780
                                                                        Function 00007FFAACCD0985 Relevance: .3, Instructions: 346COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1968014041.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8e9283aeacb43b3e82360f7d67428e0d68ee528e0f59e6816582e93a25fdb123
                                                                        • Instruction ID: a37e4c030ded9402dedf8ec02c6f9c218b46a98ce026fe15632bb6658d8effe7
                                                                        • Opcode Fuzzy Hash: 8e9283aeacb43b3e82360f7d67428e0d68ee528e0f59e6816582e93a25fdb123
                                                                        • Instruction Fuzzy Hash: C6A1F6A6B0956A9ED701BB7CF8456FD7BA0EF86331B0442F7D14CCA183CA24A44687D5
                                                                        Function 00007FFAACCD09D3 Relevance: .3, Instructions: 320COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1968014041.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5f95a59b0ea685d79b6443b6a0044ce4e82e3af4369b095a0aa36e080f7de9c0
                                                                        • Instruction ID: 91030d5452adef7861b68e614e5d1b829ab5ba4efb44dcfb0dd8b0d7ad9ee22d
                                                                        • Opcode Fuzzy Hash: 5f95a59b0ea685d79b6443b6a0044ce4e82e3af4369b095a0aa36e080f7de9c0
                                                                        • Instruction Fuzzy Hash: 6991E3A6B0956A9AD701BB7CF8056FD7BA0EF86331B0447F7D14CCA183CE64A08687D4
                                                                        Function 00007FFAACCD0A08 Relevance: .3, Instructions: 305COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1968014041.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a7ef06415c6416759dec40e86100d2c6e17315b1e04e0badaae87ded459d15bf
                                                                        • Instruction ID: f5764751bd624372ff704238d6b53db9efe81ad7bdc4c31d3dc65c9b590a9df8
                                                                        • Opcode Fuzzy Hash: a7ef06415c6416759dec40e86100d2c6e17315b1e04e0badaae87ded459d15bf
                                                                        • Instruction Fuzzy Hash: 798104A6B0952A9ED701BB7CF8056FD7BA0EF86331B0446F7D14CCA183CE64A08687D4
                                                                        Function 00007FFAACCD0A10 Relevance: .3, Instructions: 301COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1968014041.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cae8ff8281d3eae0f2b9ec6061d857a53325917cc7558d967400326bc2b1d6d8
                                                                        • Instruction ID: 08477e92078baab543de3686301dd7b274a7ef27a6d3bb44c5fb13bcfeb745d5
                                                                        • Opcode Fuzzy Hash: cae8ff8281d3eae0f2b9ec6061d857a53325917cc7558d967400326bc2b1d6d8
                                                                        • Instruction Fuzzy Hash: 4281E4A6B0952A9ED700BB7CF8056FD7BA0EF86331B0446F7D14DCA183CE64A48687D4
                                                                        Function 00007FFAACCD0A48 Relevance: .3, Instructions: 270COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1968014041.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 57e247baa87a93d10e56d337c58ed3b8e76e4b08a171a46bde5cb179c9ca621d
                                                                        • Instruction ID: bb0fb3fcf2fb681d0a866de77311f564261a0a2ae029b862767bee85b5c5c0de
                                                                        • Opcode Fuzzy Hash: 57e247baa87a93d10e56d337c58ed3b8e76e4b08a171a46bde5cb179c9ca621d
                                                                        • Instruction Fuzzy Hash: 0B71E2A6B0952A9ED700BB7CE8496FD7BA1EF85321B0446F7D14CCB183CE64A08687D4
                                                                        Function 00007FFAACCD0BD3 Relevance: .1, Instructions: 119COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1968014041.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e559b45bcaf850f5b83006834b56f588619bf03d5a6476d882cfa709d44ba896
                                                                        • Instruction ID: 84fc47ed64a269973267666e3d5a7869a5992774d63cccd0e07cfbfa5544d843
                                                                        • Opcode Fuzzy Hash: e559b45bcaf850f5b83006834b56f588619bf03d5a6476d882cfa709d44ba896
                                                                        • Instruction Fuzzy Hash: 2541E3B0A18A4D9FEB81EB78C4657FDBBB1FF99310F5005B6D10DC3282CE28A8458781
                                                                        Function 00007FFAACCD1DC1 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000016.00000002.1968014041.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_22_2_7ffaaccd0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 036b56869b99f6fc2afaffcbcab59fcec473a847032621cf8ced76ee7f803d2f
                                                                        • Instruction ID: 4578ceb022f9a24cf1a8275a4e201b0673f25bf6fb121f1f94cde2658009ab6f
                                                                        • Opcode Fuzzy Hash: 036b56869b99f6fc2afaffcbcab59fcec473a847032621cf8ced76ee7f803d2f
                                                                        • Instruction Fuzzy Hash: B301265590E7C14FF793AB3858695717FE0DFA3260B0804EBE58CC71A3D908999883C2

                                                                        Executed Functions

                                                                        Function 00007FFAACCA1C26 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000017.00000002.2050811774.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_23_2_7ffaacca0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: r6
                                                                        • API String ID: 0-2984296541
                                                                        • Opcode ID: af390797fa93d3fdab6a33286145c14cfc4f8a278a3428e448c951ba645a1fe8
                                                                        • Instruction ID: 47baafe730e8a15102ddf542c90f252405b254b64bdfdc8b406b62c285f3bdb1
                                                                        • Opcode Fuzzy Hash: af390797fa93d3fdab6a33286145c14cfc4f8a278a3428e448c951ba645a1fe8
                                                                        • Instruction Fuzzy Hash: B051D151A0E7C50FE786A7B898696657FD6DF9B220F0901FBE08DCB1A3DD588C06C352
                                                                        Function 00007FFAACCA0AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000017.00000002.2050811774.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_23_2_7ffaacca0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 9P_^
                                                                        • API String ID: 0-1898675183
                                                                        • Opcode ID: 2c548d7f95b70ccb952cdfa244eb392959d6e7db378053eddcda3cfd0fee75e4
                                                                        • Instruction ID: 967fe848701f1b6c45bd75578862482e39f50623abe578d50decec998b6f08ff
                                                                        • Opcode Fuzzy Hash: 2c548d7f95b70ccb952cdfa244eb392959d6e7db378053eddcda3cfd0fee75e4
                                                                        • Instruction Fuzzy Hash: 74615BB6A0951A9EE700FBBCE4499FC7BE5EF89324B0441B6D00DC7193CF68A48683D4
                                                                        Function 00007FFAACCA0E8E Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000017.00000002.2050811774.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_23_2_7ffaacca0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 4P_^
                                                                        • API String ID: 0-2202116914
                                                                        • Opcode ID: e9d30cc38b99fdb018993be6f5b241dbf5da5f07e61d37199fb38404279b2d2d
                                                                        • Instruction ID: 366c37d2f3aed60db7b910b3c5fef5c317d1ba8b06f1f567ad9ff10f75475e01
                                                                        • Opcode Fuzzy Hash: e9d30cc38b99fdb018993be6f5b241dbf5da5f07e61d37199fb38404279b2d2d
                                                                        • Instruction Fuzzy Hash: 2A516B62A0D6860FE356A73CD85A5B97FD6DF87220B0940FBD08DC7193DD1C9C468392
                                                                        Function 00007FFAACCA07D3 Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000017.00000002.2050811774.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_23_2_7ffaacca0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: <P_^
                                                                        • API String ID: 0-1190497245
                                                                        • Opcode ID: 06207afe098e3840f0ea6f9db2030c7a663ad50923c000359d0b424d2505b43e
                                                                        • Instruction ID: 35c536b49aff8437570fb07872bd54d19bcadb903a05bd934491ca76f21fdc48
                                                                        • Opcode Fuzzy Hash: 06207afe098e3840f0ea6f9db2030c7a663ad50923c000359d0b424d2505b43e
                                                                        • Instruction Fuzzy Hash: 704128B091D2898FD341F778D069AF9BFE1EF4A228B9481F6E04DC72A3DF2894058745
                                                                        Function 00007FFAACCA0638 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000017.00000002.2050811774.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_23_2_7ffaacca0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: r6
                                                                        • API String ID: 0-2984296541
                                                                        • Opcode ID: e4d937c122daf937e25dc04c3e00d55308c7ebd7d49f728e26f8e9a92e984904
                                                                        • Instruction ID: f42b9f45d110750142695eb05a2bc619ee65155d4bb059f3652d5d28ef16a622
                                                                        • Opcode Fuzzy Hash: e4d937c122daf937e25dc04c3e00d55308c7ebd7d49f728e26f8e9a92e984904
                                                                        • Instruction Fuzzy Hash: 7731C661B1C9494FE798EB7CD46EB79B6C6EF99215F0405BAE04EC3293DD649C018381
                                                                        Function 00007FFAACCA0D21 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000017.00000002.2050811774.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_23_2_7ffaacca0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 6
                                                                        • API String ID: 0-1452363761
                                                                        • Opcode ID: 49778f3853c5b56610eb5c8100df00f8429c7fd7eba093ae5006c7087cbd7095
                                                                        • Instruction ID: affd80408a980c38067cc2e5725e18ccc7d8da27ee56210037de0421e8455606
                                                                        • Opcode Fuzzy Hash: 49778f3853c5b56610eb5c8100df00f8429c7fd7eba093ae5006c7087cbd7095
                                                                        • Instruction Fuzzy Hash: 0E31CA92B18A095FF744BBBC981E7BD66D6EF99750F0441BAE00DC3193DE68AC418381
                                                                        Function 00007FFAACCA1719 Relevance: .4, Instructions: 376COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000017.00000002.2050811774.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_23_2_7ffaacca0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6ae7aaae6c39699715b5c30babd01abfff2457cb747a7518f2e4d5d480790a11
                                                                        • Instruction ID: 2e948f74e133a724a91ef1d9764ec4cc683a8d05a4817e61d53dd8d3ef46aa15
                                                                        • Opcode Fuzzy Hash: 6ae7aaae6c39699715b5c30babd01abfff2457cb747a7518f2e4d5d480790a11
                                                                        • Instruction Fuzzy Hash: EFC1E861A19A498FEB94FB38846D6B877E2FF99354B4444B8E40FC32D3DE29DC058781
                                                                        Function 00007FFAACCA0985 Relevance: .3, Instructions: 346COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000017.00000002.2050811774.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_23_2_7ffaacca0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 514862c6425e2be3a2aec87a3d938d924dc8d8d8078e016b0e27260a944dab31
                                                                        • Instruction ID: 5dd4d39900ab4901fb51f202039f1d4d90bcca8ad7e795e51d38dc2914af6283
                                                                        • Opcode Fuzzy Hash: 514862c6425e2be3a2aec87a3d938d924dc8d8d8078e016b0e27260a944dab31
                                                                        • Instruction Fuzzy Hash: 3CA127B66085669EE700FBBCE8499ED7BA5EF8533470441B7D14DCB083CA24648AC7E4
                                                                        Function 00007FFAACCA09D3 Relevance: .3, Instructions: 320COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000017.00000002.2050811774.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_23_2_7ffaacca0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 9784ad11910115476325b59d9ecac0773610ba4439328438a738e050ff01829c
                                                                        • Instruction ID: 9505d3defb205e45e06c7b51e0feb395a832d2072b3e2dd27bf3313d4202c18b
                                                                        • Opcode Fuzzy Hash: 9784ad11910115476325b59d9ecac0773610ba4439328438a738e050ff01829c
                                                                        • Instruction Fuzzy Hash: CE9127BAA085169EE700FBBCF4499ED7BA5EF85335B0445B7D14DCB183CA24648A83E4
                                                                        Function 00007FFAACCA0A08 Relevance: .3, Instructions: 305COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000017.00000002.2050811774.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_23_2_7ffaacca0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 512284b84c4f269462213b883a9589b482966c18f5883eea5767ef669df6424f
                                                                        • Instruction ID: 838086855bc54c5e919909c9095fad8b427d74bf62a8cda80fd98f8818fcd3ef
                                                                        • Opcode Fuzzy Hash: 512284b84c4f269462213b883a9589b482966c18f5883eea5767ef669df6424f
                                                                        • Instruction Fuzzy Hash: 7D8117B6A085169EE700BBBCF449AFD7BA5EF89334B0445B7D14DCB183CA24648AC7D4
                                                                        Function 00007FFAACCA0A10 Relevance: .3, Instructions: 301COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000017.00000002.2050811774.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_23_2_7ffaacca0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 30594b6071f6c85200c383b7c8d616944319e5da4fbcb0b3a449e59e89ce89d2
                                                                        • Instruction ID: 8d9f1616e97587db718182c1fe7ff2370961825ceaedb3d201112361c9b053de
                                                                        • Opcode Fuzzy Hash: 30594b6071f6c85200c383b7c8d616944319e5da4fbcb0b3a449e59e89ce89d2
                                                                        • Instruction Fuzzy Hash: 1D8116B6A085169EE700BBBCF449AED7BA5EF85334B0445B7D14DCB183CA24648A87D4
                                                                        Function 00007FFAACCA0A48 Relevance: .3, Instructions: 270COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000017.00000002.2050811774.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_23_2_7ffaacca0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c0ab2da4ed45114e44160177a8d248418b3b6b5fa43c88444216d40050e10aed
                                                                        • Instruction ID: 78401fbc487022064b70d63e550de0d336a60d9b17d8f971580bf26813459861
                                                                        • Opcode Fuzzy Hash: c0ab2da4ed45114e44160177a8d248418b3b6b5fa43c88444216d40050e10aed
                                                                        • Instruction Fuzzy Hash: B77128B6A0851A9EE700FBBCE4499ED7BA5EF89334B1445B7D04DC7193CA246086C7D4
                                                                        Function 00007FFAACCA0778 Relevance: .2, Instructions: 152COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000017.00000002.2050811774.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_23_2_7ffaacca0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7979e3e02f4262fc067f804acf1ec5e4788204f61a3dc3597ecb28cea2c4b8e3
                                                                        • Instruction ID: 0062d771690aff6eec33755bcee013fb9be5ec78be22ab0b276b725228e2f106
                                                                        • Opcode Fuzzy Hash: 7979e3e02f4262fc067f804acf1ec5e4788204f61a3dc3597ecb28cea2c4b8e3
                                                                        • Instruction Fuzzy Hash: BF516FA191D2898FD341F73CD0689F9BFE1EF46218B9481F6E08DCB2D3DE2894098785
                                                                        Function 00007FFAACCA0BD3 Relevance: .1, Instructions: 119COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000017.00000002.2050811774.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_23_2_7ffaacca0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 485fe27fce8cfb7f1d0638070549e4f900eab2d8ffb2ad2a9b96926adb51cd2b
                                                                        • Instruction ID: 1a90524d7ff5ccd193b80da08c6571c433a3b09df98c54b6d60162acd67d92e2
                                                                        • Opcode Fuzzy Hash: 485fe27fce8cfb7f1d0638070549e4f900eab2d8ffb2ad2a9b96926adb51cd2b
                                                                        • Instruction Fuzzy Hash: 8741C470A1864D9FEB85EB78C4596EDBBF2EF99310F5040B5E00ED3292CE39A8058781
                                                                        Function 00007FFAACCA1DC1 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000017.00000002.2050811774.00007FFAACCA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCA0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_23_2_7ffaacca0000_SystemUser.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b07fb6d7797c6fa3818f4a415099d98dbb8f6e0e875e787271effdec9eaf2004
                                                                        • Instruction ID: 4186d6837e805ab9fc4de76e875deb73c7138037d0b87df3e2b7acf5365f3e9b
                                                                        • Opcode Fuzzy Hash: b07fb6d7797c6fa3818f4a415099d98dbb8f6e0e875e787271effdec9eaf2004
                                                                        • Instruction Fuzzy Hash: F601261490E6C18FFB82AB38086D471BFE1DFA3610B0804EAE48DCB1A3D808994983C2