Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Lr87y2w72r.exe

Overview

General Information

Sample name:Lr87y2w72r.exe
renamed because original name is a hash value
Original sample name:19b81ad404867d7e37bc180400713050f6a09ee2ea72328aa33ecb90b9bb1f38.exe
Analysis ID:1530280
MD5:7ef6d06098d77dc55bedb7f332e21a22
SHA1:1c9b0799c852985d94c6287c7a311d431fda2521
SHA256:19b81ad404867d7e37bc180400713050f6a09ee2ea72328aa33ecb90b9bb1f38
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Connects to many ports of the same IP (likely port scanning)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Lr87y2w72r.exe (PID: 2668 cmdline: "C:\Users\user\Desktop\Lr87y2w72r.exe" MD5: 7EF6D06098D77DC55BEDB7F332E21A22)
    • powershell.exe (PID: 7128 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7280 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Lr87y2w72r.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • System User.exe (PID: 2000 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: 7EF6D06098D77DC55BEDB7F332E21A22)
  • System User.exe (PID: 7244 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: 7EF6D06098D77DC55BEDB7F332E21A22)
  • cleanup

Malware Configuration

Threatname: Xworm

{"C2 url": ["147.185.221.18"], "Port": "29734", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Lr87y2w72r.exeJoeSecurity_XWormYara detected XWormJoe Security
    Lr87y2w72r.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      Lr87y2w72r.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xefea:$s6: VirtualBox
      • 0xef48:$s8: Win32_ComputerSystem
      • 0x11971:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x11a0e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x11b23:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x10e9f:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\System User.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\System User.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\System User.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xefea:$s6: VirtualBox
          • 0xef48:$s8: Win32_ComputerSystem
          • 0x11971:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x11a0e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x11b23:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x10e9f:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.1663966596.0000000000682000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.1663966596.0000000000682000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xedea:$s6: VirtualBox
            • 0xed48:$s8: Win32_ComputerSystem
            • 0x11771:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x1180e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x11923:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x10c9f:$cnc4: POST / HTTP/1.1
            00000000.00000002.2922065201.0000000002961000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              Process Memory Space: Lr87y2w72r.exe PID: 2668JoeSecurity_XWormYara detected XWormJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.Lr87y2w72r.exe.680000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.Lr87y2w72r.exe.680000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.Lr87y2w72r.exe.680000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xefea:$s6: VirtualBox
                    • 0xef48:$s8: Win32_ComputerSystem
                    • 0x11971:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x11a0e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x11b23:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x10e9f:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Lr87y2w72r.exe", ParentImage: C:\Users\user\Desktop\Lr87y2w72r.exe, ParentProcessId: 2668, ParentProcessName: Lr87y2w72r.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe', ProcessId: 7128, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Lr87y2w72r.exe", ParentImage: C:\Users\user\Desktop\Lr87y2w72r.exe, ParentProcessId: 2668, ParentProcessName: Lr87y2w72r.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe', ProcessId: 7128, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\System User.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Lr87y2w72r.exe, ProcessId: 2668, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System User
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Lr87y2w72r.exe", ParentImage: C:\Users\user\Desktop\Lr87y2w72r.exe, ParentProcessId: 2668, ParentProcessName: Lr87y2w72r.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe', ProcessId: 7128, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Lr87y2w72r.exe", ParentImage: C:\Users\user\Desktop\Lr87y2w72r.exe, ParentProcessId: 2668, ParentProcessName: Lr87y2w72r.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe', ProcessId: 7128, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-09T23:11:18.691168+020028559241Malware Command and Control Activity Detected192.168.2.449764147.185.221.1829734TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: Lr87y2w72r.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\System User.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: Lr87y2w72r.exeMalware Configuration Extractor: Xworm {"C2 url": ["147.185.221.18"], "Port": "29734", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\System User.exeReversingLabs: Detection: 76%
                    Multi AV Scanner detection for submitted file
                    Source: Lr87y2w72r.exeReversingLabs: Detection: 76%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\System User.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: Lr87y2w72r.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: Lr87y2w72r.exeString decryptor: 147.185.221.18
                    Source: Lr87y2w72r.exeString decryptor: 29734
                    Source: Lr87y2w72r.exeString decryptor: <123456789>
                    Source: Lr87y2w72r.exeString decryptor: <Xwormmm>
                    Source: Lr87y2w72r.exeString decryptor: XWorm V5.6
                    Source: Lr87y2w72r.exeString decryptor: USB.exe
                    Source: Lr87y2w72r.exeString decryptor: %AppData%
                    Source: Lr87y2w72r.exeString decryptor: System User.exe
                    Source: Lr87y2w72r.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Lr87y2w72r.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49764 -> 147.185.221.18:29734
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 147.185.221.18
                    Connects to many ports of the same IP (likely port scanning)
                    Source: global trafficTCP traffic: 147.185.221.18 ports 29734,2,3,4,7,9
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: Lr87y2w72r.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.Lr87y2w72r.exe.680000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.4:49764 -> 147.185.221.18:29734
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 147.185.221.18 147.185.221.18
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.18
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: powershell.exe, 0000000B.00000002.2261214271.000001E073603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                    Source: powershell.exe, 0000000B.00000002.2267555257.000001E073799000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mBQ
                    Source: Lr87y2w72r.exe, System User.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000001.00000002.1768492724.0000022CB4EE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1891647178.000001C5349D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2037964075.000001F890072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2234785193.000001E06B2A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000000B.00000002.2101912255.000001E05B458000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000001.00000002.1744502954.0000022CA5099000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1820891207.000001C524B89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1940524565.000001F880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2101912255.000001E05B458000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: Lr87y2w72r.exe, 00000000.00000002.2922065201.0000000002961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1744502954.0000022CA4E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1820891207.000001C524961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1940524565.000001F880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2101912255.000001E05B231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000001.00000002.1744502954.0000022CA5099000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1820891207.000001C524B89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1940524565.000001F880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2101912255.000001E05B458000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000000B.00000002.2101912255.000001E05B458000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000001.00000002.1776260468.0000022CBD730000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.I
                    Source: powershell.exe, 00000001.00000002.1774934024.0000022CBD396000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: powershell.exe, 00000001.00000002.1744502954.0000022CA4E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1820891207.000001C524961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1940524565.000001F880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2101912255.000001E05B231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 0000000B.00000002.2234785193.000001E06B2A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000B.00000002.2234785193.000001E06B2A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000B.00000002.2234785193.000001E06B2A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 0000000B.00000002.2101912255.000001E05B458000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000001.00000002.1768492724.0000022CB4EE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1891647178.000001C5349D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2037964075.000001F890072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2234785193.000001E06B2A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: Lr87y2w72r.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.0.Lr87y2w72r.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000000.1663966596.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeCode function: 0_2_00007FFD9B805BC60_2_00007FFD9B805BC6
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeCode function: 0_2_00007FFD9B8069720_2_00007FFD9B806972
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8D2E111_2_00007FFD9B8D2E11
                    Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 13_2_00007FFD9B7E103813_2_00007FFD9B7E1038
                    Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 15_2_00007FFD9B80103815_2_00007FFD9B801038
                    Source: Lr87y2w72r.exe, 00000000.00000000.1663966596.0000000000682000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs Lr87y2w72r.exe
                    Source: Lr87y2w72r.exeBinary or memory string: OriginalFilenameXClient.exe4 vs Lr87y2w72r.exe
                    Source: Lr87y2w72r.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Lr87y2w72r.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.0.Lr87y2w72r.exe.680000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000000.1663966596.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: Lr87y2w72r.exe, pJkvDeZyA3qs6euxKHfCttUPjUas2POCBregTOxyfD2NjeVyTplVLU0kf.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Lr87y2w72r.exe, pJkvDeZyA3qs6euxKHfCttUPjUas2POCBregTOxyfD2NjeVyTplVLU0kf.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Lr87y2w72r.exe, 7XN4U2sb5T1SRkPSBXptFf4WjWrVKoP4KLK8aNmY8dKToDpH9cMekGWp5.csCryptographic APIs: 'TransformFinalBlock'
                    Source: System User.exe.0.dr, pJkvDeZyA3qs6euxKHfCttUPjUas2POCBregTOxyfD2NjeVyTplVLU0kf.csCryptographic APIs: 'TransformFinalBlock'
                    Source: System User.exe.0.dr, pJkvDeZyA3qs6euxKHfCttUPjUas2POCBregTOxyfD2NjeVyTplVLU0kf.csCryptographic APIs: 'TransformFinalBlock'
                    Source: System User.exe.0.dr, 7XN4U2sb5T1SRkPSBXptFf4WjWrVKoP4KLK8aNmY8dKToDpH9cMekGWp5.csCryptographic APIs: 'TransformFinalBlock'
                    Source: System User.exe.0.dr, q8gc1STqsDV1Ap7SP2Iu5zJG7c3Wnvqrq1E5fZh7BJcbDOolFssclNbEvLN97gAtz8Ko0L5PAcIjYubd.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: System User.exe.0.dr, q8gc1STqsDV1Ap7SP2Iu5zJG7c3Wnvqrq1E5fZh7BJcbDOolFssclNbEvLN97gAtz8Ko0L5PAcIjYubd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: Lr87y2w72r.exe, q8gc1STqsDV1Ap7SP2Iu5zJG7c3Wnvqrq1E5fZh7BJcbDOolFssclNbEvLN97gAtz8Ko0L5PAcIjYubd.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: Lr87y2w72r.exe, q8gc1STqsDV1Ap7SP2Iu5zJG7c3Wnvqrq1E5fZh7BJcbDOolFssclNbEvLN97gAtz8Ko0L5PAcIjYubd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@15/20@1/2
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeFile created: C:\Users\user\AppData\Roaming\System User.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\System User.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7668:120:WilError_03
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeMutant created: \Sessions\1\BaseNamedObjects\fLvWT1a4T9RVsWWn
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                    Source: Lr87y2w72r.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Lr87y2w72r.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Lr87y2w72r.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeFile read: C:\Users\user\Desktop\Lr87y2w72r.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Lr87y2w72r.exe "C:\Users\user\Desktop\Lr87y2w72r.exe"
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Lr87y2w72r.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Lr87y2w72r.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Lr87y2w72r.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Lr87y2w72r.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: Lr87y2w72r.exe, OFRiSAv7OJKaKH0eGv2cmv.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{gf2zGLudVoYi2V20Rqx9OaTwhJxkEBDgD1ryYvRWmotUzus.lixIEFMZAY5IkIH4re5i4tZkFLWiipiPLbTy4XtM9ULdt5L,gf2zGLudVoYi2V20Rqx9OaTwhJxkEBDgD1ryYvRWmotUzus._24q8l9ZCA7Xx503VTKsJpRfpDjw89DiROEEvXh4kZeouI99,gf2zGLudVoYi2V20Rqx9OaTwhJxkEBDgD1ryYvRWmotUzus.Sv9aISGseLxEMmtrKmkkZAXxUczgKMgh1NBooGVU2MU5cGk,gf2zGLudVoYi2V20Rqx9OaTwhJxkEBDgD1ryYvRWmotUzus.sjFS2PiQS6wXaBFUY935vdczfr7gnWGErBIc3VyLzv4QQDA,pJkvDeZyA3qs6euxKHfCttUPjUas2POCBregTOxyfD2NjeVyTplVLU0kf.UprbQrRXnrJqzFPgMaJZ2QzmdLHjL8FAZpCGtMLKPSwGwJPS786CWKsJ6()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Lr87y2w72r.exe, OFRiSAv7OJKaKH0eGv2cmv.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{VCNxmid2p7eD4VpTPSzC60[2],pJkvDeZyA3qs6euxKHfCttUPjUas2POCBregTOxyfD2NjeVyTplVLU0kf._7GVnXHztzQqQhuZG2HGbUvEFaeevYgwd94EYeYt7rzMBmWqZvTgng2ynYsOjPD1RXI78BDXO0BXb8u8FuFGUIZfbc(Convert.FromBase64String(VCNxmid2p7eD4VpTPSzC60[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: System User.exe.0.dr, OFRiSAv7OJKaKH0eGv2cmv.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{gf2zGLudVoYi2V20Rqx9OaTwhJxkEBDgD1ryYvRWmotUzus.lixIEFMZAY5IkIH4re5i4tZkFLWiipiPLbTy4XtM9ULdt5L,gf2zGLudVoYi2V20Rqx9OaTwhJxkEBDgD1ryYvRWmotUzus._24q8l9ZCA7Xx503VTKsJpRfpDjw89DiROEEvXh4kZeouI99,gf2zGLudVoYi2V20Rqx9OaTwhJxkEBDgD1ryYvRWmotUzus.Sv9aISGseLxEMmtrKmkkZAXxUczgKMgh1NBooGVU2MU5cGk,gf2zGLudVoYi2V20Rqx9OaTwhJxkEBDgD1ryYvRWmotUzus.sjFS2PiQS6wXaBFUY935vdczfr7gnWGErBIc3VyLzv4QQDA,pJkvDeZyA3qs6euxKHfCttUPjUas2POCBregTOxyfD2NjeVyTplVLU0kf.UprbQrRXnrJqzFPgMaJZ2QzmdLHjL8FAZpCGtMLKPSwGwJPS786CWKsJ6()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: System User.exe.0.dr, OFRiSAv7OJKaKH0eGv2cmv.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{VCNxmid2p7eD4VpTPSzC60[2],pJkvDeZyA3qs6euxKHfCttUPjUas2POCBregTOxyfD2NjeVyTplVLU0kf._7GVnXHztzQqQhuZG2HGbUvEFaeevYgwd94EYeYt7rzMBmWqZvTgng2ynYsOjPD1RXI78BDXO0BXb8u8FuFGUIZfbc(Convert.FromBase64String(VCNxmid2p7eD4VpTPSzC60[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: Lr87y2w72r.exe, OFRiSAv7OJKaKH0eGv2cmv.cs.Net Code: yLz97ybw3IluW9pUnMEToY System.AppDomain.Load(byte[])
                    Source: Lr87y2w72r.exe, OFRiSAv7OJKaKH0eGv2cmv.cs.Net Code: qauz7qwPBUet6iXtLzm5fa System.AppDomain.Load(byte[])
                    Source: Lr87y2w72r.exe, OFRiSAv7OJKaKH0eGv2cmv.cs.Net Code: qauz7qwPBUet6iXtLzm5fa
                    Source: System User.exe.0.dr, OFRiSAv7OJKaKH0eGv2cmv.cs.Net Code: yLz97ybw3IluW9pUnMEToY System.AppDomain.Load(byte[])
                    Source: System User.exe.0.dr, OFRiSAv7OJKaKH0eGv2cmv.cs.Net Code: qauz7qwPBUet6iXtLzm5fa System.AppDomain.Load(byte[])
                    Source: System User.exe.0.dr, OFRiSAv7OJKaKH0eGv2cmv.cs.Net Code: qauz7qwPBUet6iXtLzm5fa
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeCode function: 0_2_00007FFD9B8000AD pushad ; iretd 0_2_00007FFD9B8000C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B6ED2A5 pushad ; iretd 1_2_00007FFD9B6ED2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8000AD pushad ; iretd 1_2_00007FFD9B8000C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8D2316 push 8B485F91h; iretd 1_2_00007FFD9B8D231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B6DD2A5 pushad ; iretd 4_2_00007FFD9B6DD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7F19DC pushad ; ret 4_2_00007FFD9B7F19E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7F00AD pushad ; iretd 4_2_00007FFD9B7F00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8C0B83 push C522C391h; ret 4_2_00007FFD9B8C11A2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8C2316 push 8B485F92h; iretd 4_2_00007FFD9B8C231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8C1AC8 push es; retf 4_2_00007FFD9B8C1AC9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B6ED2A5 pushad ; iretd 9_2_00007FFD9B6ED2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B80BAE8 push E85A7FD7h; ret 9_2_00007FFD9B80BAF9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B80B9FA push E85A7FD7h; ret 9_2_00007FFD9B80BAF9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B8019D2 pushad ; ret 9_2_00007FFD9B8019E1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B8000AD pushad ; iretd 9_2_00007FFD9B8000C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B8D2316 push 8B485F91h; iretd 9_2_00007FFD9B8D231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B6BD2A5 pushad ; iretd 11_2_00007FFD9B6BD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B7D00AD pushad ; iretd 11_2_00007FFD9B7D00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B8A2316 push 8B485F94h; iretd 11_2_00007FFD9B8A231B
                    Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 13_2_00007FFD9B7E00AD pushad ; iretd 13_2_00007FFD9B7E00C1
                    Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 15_2_00007FFD9B8000AD pushad ; iretd 15_2_00007FFD9B8000C1
                    Source: Lr87y2w72r.exe, gf2zGLudVoYi2V20Rqx9OaTwhJxkEBDgD1ryYvRWmotUzus.csHigh entropy of concatenated method names: '_8rli0A61DsTWy2zrCfCiK9ZWPWevEl8Y6NT6lg7NO0jRqywRaZCVmhFUx9ed5xuXqDo54III5Dlx2YSXD', 'qmCCID9Ns2ceuOFcx1PtOKVJrKP6ANhijCZBsoINCBOXNvwZMusgp0ko81VFmlcL47kle7gF9qL6x6TlG', 'pbzfWUyuBG98nqVQzTMqXFwl51FJGE9IEm3C0kojYIDX4myes5VqcSDUwiO8UZXmiHm8XXjlRciHfszIq', 'FQ0YvJ4wO9JgrMC2yM2EeB52MThEUKyoMMBKMkBMtYgSd94tM25QPJlRrzX706vwTJVkB0EWVJYPSX0qA'
                    Source: Lr87y2w72r.exe, 4MEABhetR1xoJDyAgKZFG0OKOlsL0jTZhlfqNExlcGYMe1mCz9CYjhNosIQ1pwFBC7KcvFoewXn.csHigh entropy of concatenated method names: 'rfNifEflhLDfrhlItQFGAymF6myuimxJ6hsnF1W3XZdeLnJueepdVgP7jLMK2WfFTeSk8xlv17H', 'm1CWmUMLhxh0BUva58jm3mFenbPQ9KmheSVN5JbZnAw2Amlvv0KOLe5GRc8Ot64EaqERBZUG5iz', 'xBTbOtxfLYKbRDCPqGCZcXbyvxofulmXMfqM7Xu1UYVTguGPzXRmBMM9ywUYaSQFDXAsRWDDBtR', 'hw4CAKoUHo5Rxjne1wOv58732yddee2cfvDhiNnYcQd1', '_8wH9hhWjuppcrMvjwUi9qLqvWk1KshYNYWAD8vQYqrG7', 'Ik9icY2SpCytEBjBVOdTCrwhJBmOb9SoC0sP95BoqKdk', 'Gl2EEPjYqEN9jxAOJFzaz10rrooNV8fFjm4YSTssmPW2', 'rAKaXM4GqEXZvHblqgcezPbjTEb8difECwJb7FLm3svI', 'Ax7qLo3UyxGwm32PunvXzYlEomm1GyRi27WzusZHxqHd', '_8XW2EShqOHsAMIdwGcLh1FNNOcxXz7rQm1vYeTpYL5JovgEqBzs0H7zuLa9s7uOAG0oqcUgH0uD3'
                    Source: Lr87y2w72r.exe, kNpv8p12uSAwcC27ehj4ODkR4dSru6CPNwZIgsxRIacDzm4YPrhzmXV7s82ErE.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_2YzR88KzK6wFaH55CmAsh76RiK3pSG5kfrUodowiYENCZdMAGguM4SgAsGt3RxKvhuUfprRaUd870S9br', 'Sik5vf10YquQfSKm6wg127Zd6akSSqZGI5mOz8035GikhyM6JjGwPrB7LaTdotKSYzBUWUTaHtaDaw1vs', 'rfzheMAfma4oj48ep64gTyyn5ks7g6sdPsSpdAsJM4MIX8VzbHOXzU5qYw9OaanC62XzyEJwXOsiJll0W', 'u94QLs34yLAIbqTJOHM6LdX1Ep3Mme5ouhbl2dMoW3rcVxOsBL8lGDhJKEW6GYIcssv0v7JK0EVORXTmr'
                    Source: Lr87y2w72r.exe, U7pP2SodB7D6eGIbhZZKU67oqHdcpvJmRAsNb4YGG6cGzOZ.csHigh entropy of concatenated method names: 'sFNajLO5nCZcagoeT6q37gVKAN4qkggrJd3nFdWREh3PtHa', 'EjyrybYBoQRoDnc7xJuhaa2kzogPq25y44RHUJDB7haYPLYaYEPFzoXK5SipMCDi4wuTnXfZgWBN8tej', '_0Y2Xy2PzTe2nBxTKEbUs2AVatFxe4dVcsZKQNBfivUqAywdFfYXSen7xhkrq4pg840bbqvAJYuCOshEy', 'U84UTnjvJxCamGjytaa3rfhyzeeucha5b8eNKGgGzuiwtJvZTqtM7Rvm4y1H7zHomfLmzcO3zqL60Aua', '_2WfIxdiCgu6be0ApVKpeeEmDiE1GyT0Eonypvy78ePRBT7YYOPR3jrAdMROhrzHduI1JVwTRXPKOy3Dl', 'BzaBbE1l2RvAAtHSc0gvCidAqfDsXyvJQmrPlT5Z7UbvVVtYEZFZ8l6txbFyMkYluiOnd0uvjeND42JS', '_3G15g5K51Ds0vDt0G7BuDvp27ZTjBm22nWjw3INmEaFxSCC010390OLd0bLLgv9aZiOxn0Bo95sImMnn', 'WkboxHyYOKNj3zt3vrurEy7PB6VWJLKYPHgfp7zZGIWdlsd7UIQmre7u7Ic41bxMcGlnYyTSmFdnm3Nl', 'GDNh38K66rDYbAnXYBWPgBde7XM4XzQQ59JXzTD8Ptxvs1cWKI1eYdP6TCcKkAAUEXc4RXr3KHAe71du', 'cXkYasA0fbXjr3ZKk2CZahLUEyqvwbjxqyr6yHFf3nW9WVfPGFWkaAHMnCh84hyoPld7zihIugYFhNun'
                    Source: Lr87y2w72r.exe, pJkvDeZyA3qs6euxKHfCttUPjUas2POCBregTOxyfD2NjeVyTplVLU0kf.csHigh entropy of concatenated method names: 'iLR36B0wv3NaqkpcMf4dlOpUcZO4jspSWQ6np8gUBEcUy4ODONlWnOrjs', 'uG8pSg6RBX1zr18QL0crbYNRXZQLxwJsG0Hq3kBXcyiyvLXoYNDzBdtXr', 'EX0UCNMb67s5yrMV4NmFgPy00nNhWff5IiSClp5Zvf3DSk17pT2LxEdCm', 'MAbEtbhglExcjuHeTbXmHblXe1Rh3OMdWKqxZaAOzJiGPZPfE0v8BNB1A', 'dhhbXsoeA5TaQHoxk0nb2O5ZdHFDmL8rF8u2JNPoKGarqKJBb1f7NJUit', 'EQKT8oWMTaggRCxL1dNOd6CYCRXAUMHbiSpIx3UGACNNHuCY8jcE1SrTl', 'oqovDXQBAqzEhMRJ6zVd4F7RzuiFUHWXej2mMncOpBh49JDb3QnVv8GrP', 'Hz22NCUnZhc4NXEiyer1tGV1reGf8yEz6kH4Ny7rSbHxnrosYvuUsia45', 'psmrwvoPZLErO20JkSuGZZWYwpjDcAP5WfxIf5Ja0XsDlxbtYR5BGrK3L', 'bpmeiBG85d2Q2ioUKFITsveER8QInRzf2wnlz7AwFRx82uGif6zGDPGP2'
                    Source: Lr87y2w72r.exe, q8gc1STqsDV1Ap7SP2Iu5zJG7c3Wnvqrq1E5fZh7BJcbDOolFssclNbEvLN97gAtz8Ko0L5PAcIjYubd.csHigh entropy of concatenated method names: '_3GMPqkpAKAZazkWarm4PplJT0AdQOvj2kEMI3IaqCWNBZ1kOi4NkvKgnX6yAtVusPZ3CMNRjHqYBjtJy', '_3FDUpbsUUs6TgJqvBFBydKurSZTciSPDmAW1HalgKvuncd7LiHt1btLT0lQHs1jZfgfUApV6oRXt3b7e', 'KtbuepT8jJJ7z1kxKkI7v26mzxtff4Egl6ao6YIYOs8BYvNyzTVtNpiURj3X7AtjJh1vFU3IajjIAcLb', 'GHHNNeTfADFze931KpM3Sk', 'OeVIhBcOTkP7DH0FSVDeum', 'Uz94sSrpDd2T7AYk38FQWU', 'kiB88PrcPrahYku2d5Hv59', 'wKSlkujw02uEt7W0zefW4Q', 'cIeVr4PEy6QQwY7GilWI0h', 'OGcigPdr9LeVPUn1YRKDsx'
                    Source: Lr87y2w72r.exe, 5yPpcWPpckLwLcuZyDfs7u.csHigh entropy of concatenated method names: 'UIgwHB7nWR59NkArt2Sa54', 'vOratbFCsMUYR3qx5HSBtLmS5BAFjGkiqVeU1nPzk6BaQGgcyAS7vzddJTUdEEePpScUODPKxiYPhC1d1Lc9JyyfRSLKkPT6H', 'QqRPXVyZ2lst3YktnjjtMNUeotzCMRoPAZg8VmTs7xiBp4RIfaa0lmMP7dYTxwYHgtoz8IYnfAIHkZX7EMoCaGewQgZYmvHHD', '_2BR2Bn8lLIn8w9sNIvwlMQHYG49FXbISCm8JHXh4JuthAtULaMX2TPCMD5W0aqhuCsvddF6kE10CjV8YTPm7HglAARQN6Phi5', '_011IwezYQkkquWY89P8V6IFCw5UTvWQdiPsw9kURVXpSrklp05YrvRc9VielO8XKMrYbwdxrZuTUhBehYGd28RDmjhj03J1BM', 'Mcn9AsbdEInjUwnMqDN5Syh4wLa01LXFibIL8Xs2e1PmglWGyTWHesCxvD2fgovszr551ZIEauJhJk8s9ScVUpLFL6FeAObBj', 's5WDjepEqkFDRVBuRb0bKfkoN6KeJHkhEb41t2uV67Kou4JPC2RiPKaGxZoo1FgIpCRHtTUXJBCsPluqsZ5Q0XUN1M10VENFp', 'wyzuHfgWPjhL9MqbmD7vEvxo6jZNl2IdhsndLbCsCJnIbqgjdcy5ThAaGYLYB9ttkalFHGHHPs17HB2xjg1XsXZIUXcEb6Jmk', 'AZzlpztMYeHmTXjPYjx5tLgp7RH0YF11IFoMvocsd7drf3B8BCnN2GbbN0a0LcwKayzWgXC1yriRBMq9RyH7mSMUWR8Qc20r0', 'J9W2OuJlFvAzNX6Fb2yzeeH2cCv9HdUQjQkWyf9Z0bALoycHFjkAuHFBUzhZPZMrzTYeFrqrVfiVkcpARYrQIxMiZQajCvArM'
                    Source: Lr87y2w72r.exe, OFRiSAv7OJKaKH0eGv2cmv.csHigh entropy of concatenated method names: 'S2qcynbxSUKg9B8LIYhAL5', 'yLz97ybw3IluW9pUnMEToY', 'bWYGkc9u4o6CV6ByGEx9P8', 'OW4YZOhDbBqyQKe4Dj9Ip5', 'PX4TaWu3EI5ZpIrhi6Z6H8', '_1IYE7WQloAZ20HwWXiijoJ', 'jRlCbMbaMPdLY7P6Zp1aEp', '_7iGewu6XPrNUikZShz8FES', 'XHNkPImbPF5CIiXCvydRcF', 'BxSIeflemoIEMp7EnuXQXP'
                    Source: Lr87y2w72r.exe, UY0PSNspz4sAcpT3Rk6ISa.csHigh entropy of concatenated method names: 'PyCoZYfjLs7JjkV6QOWTwc', 'dvJjiqsMbChgaebsHCjCzVZWmu', 'vrjHso4YPfD4byRyGKcRgWzMtQ', 'p40O6OW62M8JtpmoNff23xE8ir', 'qChobVNWuKY9T2REFy67qXll4s'
                    Source: Lr87y2w72r.exe, 7XN4U2sb5T1SRkPSBXptFf4WjWrVKoP4KLK8aNmY8dKToDpH9cMekGWp5.csHigh entropy of concatenated method names: 'ukyHjChPsfaPGGbJ23E2AMGcOmp31EhQtlqS0XXSaytHmDikKUOsd8oNo', '_7PXZBsC4qE47AePWdmQAIojR3cOvoRYNPE0qV7T9QUz49nDVE5NHzHqaJUC', 'AcZv9WXETFNhd6pxNXNqHQK58kSgv1BIiVTr4LEDVmwuVM6i7Kc5p7B6pGt', 'VYwIiUGZXUOaxAztAUkHaKo5CGjLBnSpT3OEn2nfoL18SjuO5BismdNPTkE', 'ksIWxioMheVcKTpzb05xDfrzSkKRrrjPKAqiKwfnd3UMUQAUdPJ0MHMITvb'
                    Source: Lr87y2w72r.exe, tspa1gC1ysKmxdaDfpI3Tm9ri.csHigh entropy of concatenated method names: 'iPkKmMO8y7168DOdJklJR9oC0', 'a4zmR3wfDDHQYBdtoqzy5er0D', 'jvcRB2p6kTkOTfnJpsFgK6QMy465DaGTyXl5TAfHGvFTbysgxqCZTULlH', 'xGW7Z4Fc2JNlsyBTIfk5WTSkFgpGe3iWYShq4GMsr4z4dJ37GCHuuJWW3', 'ldcts3hyhN8mfrctnFFfI1CMkKvceWI3xeqwVbqjJf4IgVQj22OkzvhHVCE', 'GsSTkYwPlrJM0ROTZ3jqo1vz8ZLuz2GkvaKa0LCfD20J74rdHmpkv4hyHjq', '_2NSKdPtc4dvMfm4bfdct1Gcp0NS93tyfxjpBTinWtb86vj4lrwrI00AVu0L', 'I9zLXgyyi5zF8ieqR50yZ5Gjga81xQgsRczUdrmZnRwXAnyaGNQJAhqXIm2', 'woAeM1QVPcE1nCsMF7xTA4Xt2uzvEOlvWiJDTVXye06LEAitO6w33wlM4yv', 'hegZFmaPE3EdIpYdK4LtnliOQ633foWgvz7hk0dtajORYGkxJbsY8IOI9y0'
                    Source: System User.exe.0.dr, gf2zGLudVoYi2V20Rqx9OaTwhJxkEBDgD1ryYvRWmotUzus.csHigh entropy of concatenated method names: '_8rli0A61DsTWy2zrCfCiK9ZWPWevEl8Y6NT6lg7NO0jRqywRaZCVmhFUx9ed5xuXqDo54III5Dlx2YSXD', 'qmCCID9Ns2ceuOFcx1PtOKVJrKP6ANhijCZBsoINCBOXNvwZMusgp0ko81VFmlcL47kle7gF9qL6x6TlG', 'pbzfWUyuBG98nqVQzTMqXFwl51FJGE9IEm3C0kojYIDX4myes5VqcSDUwiO8UZXmiHm8XXjlRciHfszIq', 'FQ0YvJ4wO9JgrMC2yM2EeB52MThEUKyoMMBKMkBMtYgSd94tM25QPJlRrzX706vwTJVkB0EWVJYPSX0qA'
                    Source: System User.exe.0.dr, 4MEABhetR1xoJDyAgKZFG0OKOlsL0jTZhlfqNExlcGYMe1mCz9CYjhNosIQ1pwFBC7KcvFoewXn.csHigh entropy of concatenated method names: 'rfNifEflhLDfrhlItQFGAymF6myuimxJ6hsnF1W3XZdeLnJueepdVgP7jLMK2WfFTeSk8xlv17H', 'm1CWmUMLhxh0BUva58jm3mFenbPQ9KmheSVN5JbZnAw2Amlvv0KOLe5GRc8Ot64EaqERBZUG5iz', 'xBTbOtxfLYKbRDCPqGCZcXbyvxofulmXMfqM7Xu1UYVTguGPzXRmBMM9ywUYaSQFDXAsRWDDBtR', 'hw4CAKoUHo5Rxjne1wOv58732yddee2cfvDhiNnYcQd1', '_8wH9hhWjuppcrMvjwUi9qLqvWk1KshYNYWAD8vQYqrG7', 'Ik9icY2SpCytEBjBVOdTCrwhJBmOb9SoC0sP95BoqKdk', 'Gl2EEPjYqEN9jxAOJFzaz10rrooNV8fFjm4YSTssmPW2', 'rAKaXM4GqEXZvHblqgcezPbjTEb8difECwJb7FLm3svI', 'Ax7qLo3UyxGwm32PunvXzYlEomm1GyRi27WzusZHxqHd', '_8XW2EShqOHsAMIdwGcLh1FNNOcxXz7rQm1vYeTpYL5JovgEqBzs0H7zuLa9s7uOAG0oqcUgH0uD3'
                    Source: System User.exe.0.dr, kNpv8p12uSAwcC27ehj4ODkR4dSru6CPNwZIgsxRIacDzm4YPrhzmXV7s82ErE.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_2YzR88KzK6wFaH55CmAsh76RiK3pSG5kfrUodowiYENCZdMAGguM4SgAsGt3RxKvhuUfprRaUd870S9br', 'Sik5vf10YquQfSKm6wg127Zd6akSSqZGI5mOz8035GikhyM6JjGwPrB7LaTdotKSYzBUWUTaHtaDaw1vs', 'rfzheMAfma4oj48ep64gTyyn5ks7g6sdPsSpdAsJM4MIX8VzbHOXzU5qYw9OaanC62XzyEJwXOsiJll0W', 'u94QLs34yLAIbqTJOHM6LdX1Ep3Mme5ouhbl2dMoW3rcVxOsBL8lGDhJKEW6GYIcssv0v7JK0EVORXTmr'
                    Source: System User.exe.0.dr, U7pP2SodB7D6eGIbhZZKU67oqHdcpvJmRAsNb4YGG6cGzOZ.csHigh entropy of concatenated method names: 'sFNajLO5nCZcagoeT6q37gVKAN4qkggrJd3nFdWREh3PtHa', 'EjyrybYBoQRoDnc7xJuhaa2kzogPq25y44RHUJDB7haYPLYaYEPFzoXK5SipMCDi4wuTnXfZgWBN8tej', '_0Y2Xy2PzTe2nBxTKEbUs2AVatFxe4dVcsZKQNBfivUqAywdFfYXSen7xhkrq4pg840bbqvAJYuCOshEy', 'U84UTnjvJxCamGjytaa3rfhyzeeucha5b8eNKGgGzuiwtJvZTqtM7Rvm4y1H7zHomfLmzcO3zqL60Aua', '_2WfIxdiCgu6be0ApVKpeeEmDiE1GyT0Eonypvy78ePRBT7YYOPR3jrAdMROhrzHduI1JVwTRXPKOy3Dl', 'BzaBbE1l2RvAAtHSc0gvCidAqfDsXyvJQmrPlT5Z7UbvVVtYEZFZ8l6txbFyMkYluiOnd0uvjeND42JS', '_3G15g5K51Ds0vDt0G7BuDvp27ZTjBm22nWjw3INmEaFxSCC010390OLd0bLLgv9aZiOxn0Bo95sImMnn', 'WkboxHyYOKNj3zt3vrurEy7PB6VWJLKYPHgfp7zZGIWdlsd7UIQmre7u7Ic41bxMcGlnYyTSmFdnm3Nl', 'GDNh38K66rDYbAnXYBWPgBde7XM4XzQQ59JXzTD8Ptxvs1cWKI1eYdP6TCcKkAAUEXc4RXr3KHAe71du', 'cXkYasA0fbXjr3ZKk2CZahLUEyqvwbjxqyr6yHFf3nW9WVfPGFWkaAHMnCh84hyoPld7zihIugYFhNun'
                    Source: System User.exe.0.dr, pJkvDeZyA3qs6euxKHfCttUPjUas2POCBregTOxyfD2NjeVyTplVLU0kf.csHigh entropy of concatenated method names: 'iLR36B0wv3NaqkpcMf4dlOpUcZO4jspSWQ6np8gUBEcUy4ODONlWnOrjs', 'uG8pSg6RBX1zr18QL0crbYNRXZQLxwJsG0Hq3kBXcyiyvLXoYNDzBdtXr', 'EX0UCNMb67s5yrMV4NmFgPy00nNhWff5IiSClp5Zvf3DSk17pT2LxEdCm', 'MAbEtbhglExcjuHeTbXmHblXe1Rh3OMdWKqxZaAOzJiGPZPfE0v8BNB1A', 'dhhbXsoeA5TaQHoxk0nb2O5ZdHFDmL8rF8u2JNPoKGarqKJBb1f7NJUit', 'EQKT8oWMTaggRCxL1dNOd6CYCRXAUMHbiSpIx3UGACNNHuCY8jcE1SrTl', 'oqovDXQBAqzEhMRJ6zVd4F7RzuiFUHWXej2mMncOpBh49JDb3QnVv8GrP', 'Hz22NCUnZhc4NXEiyer1tGV1reGf8yEz6kH4Ny7rSbHxnrosYvuUsia45', 'psmrwvoPZLErO20JkSuGZZWYwpjDcAP5WfxIf5Ja0XsDlxbtYR5BGrK3L', 'bpmeiBG85d2Q2ioUKFITsveER8QInRzf2wnlz7AwFRx82uGif6zGDPGP2'
                    Source: System User.exe.0.dr, q8gc1STqsDV1Ap7SP2Iu5zJG7c3Wnvqrq1E5fZh7BJcbDOolFssclNbEvLN97gAtz8Ko0L5PAcIjYubd.csHigh entropy of concatenated method names: '_3GMPqkpAKAZazkWarm4PplJT0AdQOvj2kEMI3IaqCWNBZ1kOi4NkvKgnX6yAtVusPZ3CMNRjHqYBjtJy', '_3FDUpbsUUs6TgJqvBFBydKurSZTciSPDmAW1HalgKvuncd7LiHt1btLT0lQHs1jZfgfUApV6oRXt3b7e', 'KtbuepT8jJJ7z1kxKkI7v26mzxtff4Egl6ao6YIYOs8BYvNyzTVtNpiURj3X7AtjJh1vFU3IajjIAcLb', 'GHHNNeTfADFze931KpM3Sk', 'OeVIhBcOTkP7DH0FSVDeum', 'Uz94sSrpDd2T7AYk38FQWU', 'kiB88PrcPrahYku2d5Hv59', 'wKSlkujw02uEt7W0zefW4Q', 'cIeVr4PEy6QQwY7GilWI0h', 'OGcigPdr9LeVPUn1YRKDsx'
                    Source: System User.exe.0.dr, 5yPpcWPpckLwLcuZyDfs7u.csHigh entropy of concatenated method names: 'UIgwHB7nWR59NkArt2Sa54', 'vOratbFCsMUYR3qx5HSBtLmS5BAFjGkiqVeU1nPzk6BaQGgcyAS7vzddJTUdEEePpScUODPKxiYPhC1d1Lc9JyyfRSLKkPT6H', 'QqRPXVyZ2lst3YktnjjtMNUeotzCMRoPAZg8VmTs7xiBp4RIfaa0lmMP7dYTxwYHgtoz8IYnfAIHkZX7EMoCaGewQgZYmvHHD', '_2BR2Bn8lLIn8w9sNIvwlMQHYG49FXbISCm8JHXh4JuthAtULaMX2TPCMD5W0aqhuCsvddF6kE10CjV8YTPm7HglAARQN6Phi5', '_011IwezYQkkquWY89P8V6IFCw5UTvWQdiPsw9kURVXpSrklp05YrvRc9VielO8XKMrYbwdxrZuTUhBehYGd28RDmjhj03J1BM', 'Mcn9AsbdEInjUwnMqDN5Syh4wLa01LXFibIL8Xs2e1PmglWGyTWHesCxvD2fgovszr551ZIEauJhJk8s9ScVUpLFL6FeAObBj', 's5WDjepEqkFDRVBuRb0bKfkoN6KeJHkhEb41t2uV67Kou4JPC2RiPKaGxZoo1FgIpCRHtTUXJBCsPluqsZ5Q0XUN1M10VENFp', 'wyzuHfgWPjhL9MqbmD7vEvxo6jZNl2IdhsndLbCsCJnIbqgjdcy5ThAaGYLYB9ttkalFHGHHPs17HB2xjg1XsXZIUXcEb6Jmk', 'AZzlpztMYeHmTXjPYjx5tLgp7RH0YF11IFoMvocsd7drf3B8BCnN2GbbN0a0LcwKayzWgXC1yriRBMq9RyH7mSMUWR8Qc20r0', 'J9W2OuJlFvAzNX6Fb2yzeeH2cCv9HdUQjQkWyf9Z0bALoycHFjkAuHFBUzhZPZMrzTYeFrqrVfiVkcpARYrQIxMiZQajCvArM'
                    Source: System User.exe.0.dr, OFRiSAv7OJKaKH0eGv2cmv.csHigh entropy of concatenated method names: 'S2qcynbxSUKg9B8LIYhAL5', 'yLz97ybw3IluW9pUnMEToY', 'bWYGkc9u4o6CV6ByGEx9P8', 'OW4YZOhDbBqyQKe4Dj9Ip5', 'PX4TaWu3EI5ZpIrhi6Z6H8', '_1IYE7WQloAZ20HwWXiijoJ', 'jRlCbMbaMPdLY7P6Zp1aEp', '_7iGewu6XPrNUikZShz8FES', 'XHNkPImbPF5CIiXCvydRcF', 'BxSIeflemoIEMp7EnuXQXP'
                    Source: System User.exe.0.dr, UY0PSNspz4sAcpT3Rk6ISa.csHigh entropy of concatenated method names: 'PyCoZYfjLs7JjkV6QOWTwc', 'dvJjiqsMbChgaebsHCjCzVZWmu', 'vrjHso4YPfD4byRyGKcRgWzMtQ', 'p40O6OW62M8JtpmoNff23xE8ir', 'qChobVNWuKY9T2REFy67qXll4s'
                    Source: System User.exe.0.dr, 7XN4U2sb5T1SRkPSBXptFf4WjWrVKoP4KLK8aNmY8dKToDpH9cMekGWp5.csHigh entropy of concatenated method names: 'ukyHjChPsfaPGGbJ23E2AMGcOmp31EhQtlqS0XXSaytHmDikKUOsd8oNo', '_7PXZBsC4qE47AePWdmQAIojR3cOvoRYNPE0qV7T9QUz49nDVE5NHzHqaJUC', 'AcZv9WXETFNhd6pxNXNqHQK58kSgv1BIiVTr4LEDVmwuVM6i7Kc5p7B6pGt', 'VYwIiUGZXUOaxAztAUkHaKo5CGjLBnSpT3OEn2nfoL18SjuO5BismdNPTkE', 'ksIWxioMheVcKTpzb05xDfrzSkKRrrjPKAqiKwfnd3UMUQAUdPJ0MHMITvb'
                    Source: System User.exe.0.dr, tspa1gC1ysKmxdaDfpI3Tm9ri.csHigh entropy of concatenated method names: 'iPkKmMO8y7168DOdJklJR9oC0', 'a4zmR3wfDDHQYBdtoqzy5er0D', 'jvcRB2p6kTkOTfnJpsFgK6QMy465DaGTyXl5TAfHGvFTbysgxqCZTULlH', 'xGW7Z4Fc2JNlsyBTIfk5WTSkFgpGe3iWYShq4GMsr4z4dJ37GCHuuJWW3', 'ldcts3hyhN8mfrctnFFfI1CMkKvceWI3xeqwVbqjJf4IgVQj22OkzvhHVCE', 'GsSTkYwPlrJM0ROTZ3jqo1vz8ZLuz2GkvaKa0LCfD20J74rdHmpkv4hyHjq', '_2NSKdPtc4dvMfm4bfdct1Gcp0NS93tyfxjpBTinWtb86vj4lrwrI00AVu0L', 'I9zLXgyyi5zF8ieqR50yZ5Gjga81xQgsRczUdrmZnRwXAnyaGNQJAhqXIm2', 'woAeM1QVPcE1nCsMF7xTA4Xt2uzvEOlvWiJDTVXye06LEAitO6w33wlM4yv', 'hegZFmaPE3EdIpYdK4LtnliOQ633foWgvz7hk0dtajORYGkxJbsY8IOI9y0'
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeFile created: C:\Users\user\AppData\Roaming\System User.exeJump to dropped file
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System UserJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System UserJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Lr87y2w72r.exe, System User.exe.0.drBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeMemory allocated: FD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeMemory allocated: 1A960000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 930000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1A440000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 810000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1A660000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeWindow / User API: threadDelayed 7981Jump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeWindow / User API: threadDelayed 1868Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6195Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3567Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7831Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1881Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7796Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1735Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7765
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1859
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exe TID: 8140Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7172Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364Thread sleep count: 7831 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7364Thread sleep count: 1881 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7392Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908Thread sleep count: 7765 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7908Thread sleep count: 1859 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7944Thread sleep time: -2767011611056431s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\System User.exe TID: 5596Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\System User.exe TID: 4348Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
                    Source: System User.exe.0.drBinary or memory string: vmware
                    Source: Lr87y2w72r.exe, 00000000.00000002.2931209750.000000001B7F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeCode function: 0_2_00007FFD9B807581 CheckRemoteDebuggerPresent,0_2_00007FFD9B807581
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe'
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe'
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Lr87y2w72r.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'Jump to behavior
                    Source: Lr87y2w72r.exe, 00000000.00000002.2922065201.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, Lr87y2w72r.exe, 00000000.00000002.2922065201.00000000029D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: Lr87y2w72r.exe, 00000000.00000002.2922065201.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, Lr87y2w72r.exe, 00000000.00000002.2922065201.00000000029D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: Lr87y2w72r.exe, 00000000.00000002.2922065201.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, Lr87y2w72r.exe, 00000000.00000002.2922065201.00000000029D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: Lr87y2w72r.exe, 00000000.00000002.2922065201.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, Lr87y2w72r.exe, 00000000.00000002.2922065201.00000000029D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                    Source: Lr87y2w72r.exe, 00000000.00000002.2922065201.00000000029E9000.00000004.00000800.00020000.00000000.sdmp, Lr87y2w72r.exe, 00000000.00000002.2922065201.00000000029D9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2b
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeQueries volume information: C:\Users\user\Desktop\Lr87y2w72r.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Lr87y2w72r.exe, 00000000.00000002.2916406305.0000000000C51000.00000004.00000020.00020000.00000000.sdmp, Lr87y2w72r.exe, 00000000.00000002.2931209750.000000001B856000.00000004.00000020.00020000.00000000.sdmp, Lr87y2w72r.exe, 00000000.00000002.2931209750.000000001B7F1000.00000004.00000020.00020000.00000000.sdmp, Lr87y2w72r.exe, 00000000.00000002.2931209750.000000001B894000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\Lr87y2w72r.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: Lr87y2w72r.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.Lr87y2w72r.exe.680000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1663966596.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2922065201.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Lr87y2w72r.exe PID: 2668, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: Lr87y2w72r.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.Lr87y2w72r.exe.680000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.1663966596.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2922065201.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Lr87y2w72r.exe PID: 2668, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation                    		1
                    Registry Run Keys / Startup Folder                    		12
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping541
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    PowerShell                    		1
                    DLL Side-Loading                    		1
                    Registry Run Keys / Startup Folder                    		11
                    Disable or Modify Tools                    		LSASS Memory2
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		151
                    Virtualization/Sandbox Evasion                    		Security Account Manager151
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Software Packing                    		DCSync23
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1530280 Sample: Lr87y2w72r.exe Startdate: 09/10/2024 Architecture: WINDOWS Score: 100 36 ip-api.com 2->36 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 17 other signatures 2->50 8 Lr87y2w72r.exe 15 5 2->8         started        13 System User.exe 2->13         started        15 System User.exe 2->15         started        signatures3 process4 dnsIp5 38 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 8->38 40 147.185.221.18, 29734, 49764, 49878 SALSGIVERUS United States 8->40 34 C:\Users\user\AppData\...\System User.exe, PE32 8->34 dropped 52 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->52 54 Protects its processes via BreakOnTermination flag 8->54 56 Bypasses PowerShell execution policy 8->56 58 2 other signatures 8->58 17 powershell.exe 23 8->17         started        20 powershell.exe 23 8->20         started        22 powershell.exe 21 8->22         started        24 powershell.exe 8->24         started        file6 signatures7 process8 signatures9 42 Loading BitLocker PowerShell Module 17->42 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Lr87y2w72r.exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    Lr87y2w72r.exe100%AviraTR/Spy.Gen
                    Lr87y2w72r.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\System User.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Roaming\System User.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\System User.exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://crl.m0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    https://aka.ms/pscore680%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://ip-api.com/line/?fields=hostingfalse
                      • URL Reputation: safe
                      		unknown
                      147.185.221.18true
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1768492724.0000022CB4EE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1891647178.000001C5349D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2037964075.000001F890072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2234785193.000001E06B2A0000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.mpowershell.exe, 0000000B.00000002.2261214271.000001E073603000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2101912255.000001E05B458000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1744502954.0000022CA5099000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1820891207.000001C524B89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1940524565.000001F880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2101912255.000001E05B458000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2101912255.000001E05B458000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.microsoft.Ipowershell.exe, 00000001.00000002.1776260468.0000022CBD730000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1744502954.0000022CA5099000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1820891207.000001C524B89000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1940524565.000001F880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2101912255.000001E05B458000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://contoso.com/powershell.exe, 0000000B.00000002.2234785193.000001E06B2A0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1768492724.0000022CB4EE2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1891647178.000001C5349D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2037964075.000001F890072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2234785193.000001E06B2A0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.microsoft.copowershell.exe, 00000001.00000002.1774934024.0000022CBD396000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2234785193.000001E06B2A0000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2234785193.000001E06B2A0000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://crl.mBQpowershell.exe, 0000000B.00000002.2267555257.000001E073799000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://aka.ms/pscore68powershell.exe, 00000001.00000002.1744502954.0000022CA4E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1820891207.000001C524961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1940524565.000001F880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2101912255.000001E05B231000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLr87y2w72r.exe, 00000000.00000002.2922065201.0000000002961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1744502954.0000022CA4E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1820891207.000001C524961000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1940524565.000001F880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2101912255.000001E05B231000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2101912255.000001E05B458000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  208.95.112.1
                                  		ip-api.comUnited States
                                  		53334TUT-ASUStrue
                                  147.185.221.18
                                  		unknownUnited States
                                  		12087SALSGIVERUStrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1530280
                                  Start date and time:2024-10-09 23:09:11 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 6m 17s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:16
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:Lr87y2w72r.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:19b81ad404867d7e37bc180400713050f6a09ee2ea72328aa33ecb90b9bb1f38.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@15/20@1/2
                                  EGA Information:
                                  • Successful, ratio: 14.3%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 73
                                  • Number of non-executed functions: 5
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target System User.exe, PID 2000 because it is empty
                                  • Execution Graph export aborted for target System User.exe, PID 7244 because it is empty
                                  • Execution Graph export aborted for target powershell.exe, PID 7128 because it is empty
                                  • Execution Graph export aborted for target powershell.exe, PID 7280 because it is empty
                                  • Execution Graph export aborted for target powershell.exe, PID 7660 because it is empty
                                  • Execution Graph export aborted for target powershell.exe, PID 7824 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                  • VT rate limit hit for: Lr87y2w72r.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  17:10:07API Interceptor58x Sleep call for process: powershell.exe modified
                                  17:11:04API Interceptor218x Sleep call for process: Lr87y2w72r.exe modified
                                  22:11:07AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run System User C:\Users\user\AppData\Roaming\System User.exe
                                  22:11:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run System User C:\Users\user\AppData\Roaming\System User.exe

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  208.95.112.17LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                  • ip-api.com/line/?fields=hosting
                                  p61Wb0tocl.exeGet hashmaliciousXWormBrowse
                                  • ip-api.com/line/?fields=hosting
                                  432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                  • ip-api.com/line/?fields=hosting
                                  sUdsWh0FL4.exeGet hashmaliciousXWormBrowse
                                  • ip-api.com/line/?fields=hosting
                                  5q4X9fRo4b.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                  • ip-api.com/line/?fields=hosting
                                  1yvSMiC8Jt.exeGet hashmaliciousXWormBrowse
                                  • ip-api.com/line/?fields=hosting
                                  WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                  • ip-api.com/json
                                  a3bZQko7Vi.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  Wt7zcwGIYK.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  • ip-api.com/line/?fields=hosting
                                  FUFhVN38a7.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  147.185.221.187LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                    1c8DbXc5r0.exeGet hashmaliciousXWormBrowse
                                      6Mt223MA25.exeGet hashmaliciousArrowRATBrowse
                                        b34J4bxnmN.exeGet hashmaliciousNjratBrowse
                                          01koiHnedL.exeGet hashmaliciousNjratBrowse
                                            i231IEP3oh.exeGet hashmaliciousAsyncRATBrowse
                                              killer.exeGet hashmaliciousXWormBrowse
                                                system47.exeGet hashmaliciousXWormBrowse
                                                  javaupdate.jarGet hashmaliciousDynamic StealerBrowse
                                                    javaupdate.jarGet hashmaliciousDynamic StealerBrowse

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      ip-api.com7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      p61Wb0tocl.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      sUdsWh0FL4.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      5q4X9fRo4b.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • 208.95.112.1
                                                      1yvSMiC8Jt.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                                      • 208.95.112.1
                                                      a3bZQko7Vi.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      Wt7zcwGIYK.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 208.95.112.1
                                                      FUFhVN38a7.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      SALSGIVERUS7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.18
                                                      432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.22
                                                      5q4X9fRo4b.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • 147.185.221.17
                                                      l18t80u9zg.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.22
                                                      Windows Defender.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.22
                                                      x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.23
                                                      e7WMhx18XN.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse
                                                      • 147.185.221.22
                                                      SecuriteInfo.com.Trojan.MulDrop28.25270.15094.4444.exeGet hashmaliciousNjratBrowse
                                                      • 147.185.221.22
                                                      1c8DbXc5r0.exeGet hashmaliciousXWormBrowse
                                                      • 147.185.221.18
                                                      PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                                      • 147.185.221.21
                                                      TUT-ASUS7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      p61Wb0tocl.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      sUdsWh0FL4.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      5q4X9fRo4b.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                      • 208.95.112.1
                                                      1yvSMiC8Jt.exeGet hashmaliciousXWormBrowse
                                                      • 208.95.112.1
                                                      WCA-Cooperative-Agreement.docx.exeGet hashmaliciousBabadeda, Exela Stealer, Python Stealer, Waltuhium GrabberBrowse
                                                      • 208.95.112.1
                                                      a3bZQko7Vi.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1
                                                      Wt7zcwGIYK.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      • 208.95.112.1
                                                      FUFhVN38a7.exeGet hashmaliciousAgentTeslaBrowse
                                                      • 208.95.112.1

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System User.exe.log

                                                      Download File
                                                      Process:C:\Users\user\AppData\Roaming\System User.exe
                                                      File Type:CSV text
                                                      Category:dropped
                                                      Size (bytes):654
                                                      Entropy (8bit):5.380476433908377
                                                      Encrypted:false
                                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):64
                                                      Entropy (8bit):0.34726597513537405
                                                      Encrypted:false
                                                      SSDEEP:3:Nlll:Nll
                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                      Malicious:false
                                                      Preview:@...e...........................................................

                                                      C:\Users\user\AppData\Local\Temp\Log.tmp

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Lr87y2w72r.exe
                                                      File Type:Generic INItialization configuration [WIN]
                                                      Category:dropped
                                                      Size (bytes):58
                                                      Entropy (8bit):3.598349098128234
                                                      Encrypted:false
                                                      SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovX:EFYJKDoWr5FYJKDoP
                                                      MD5:5362ACB758D5B0134C33D457FCC002D9
                                                      SHA1:BC56DFFBE17C015DB6676CF56996E29DF426AB92
                                                      SHA-256:13229E0AD721D53BF9FB50FA66AE92C6C48F2ABB785F9E17A80E224E096028A4
                                                      SHA-512:3FB6DA9993FBFC1DC3204DC2529FB7D9C6FE4E6F06E6C8E2DC0BE05CD0E990ED2643359F26EC433087C1A54C8E1C87D02013413CE8F4E1A6D2F380BE0F5EB09B
                                                      Malicious:false
                                                      Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_025d0dnk.cw3.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54kg5521.2b5.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clqrzcqp.bmp.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d34vzzsh.ftp.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dnbg4gql.bpe.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e4ogm23c.j5c.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fvjmlclw.tzx.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g1f3nqug.frc.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kitkhcbj.zcr.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kjcruv4q.flq.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3j3vqcp.j0b.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nslq5lqx.f31.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oq3yxa5l.vlo.psm1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pccgpktk.bao.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vf4j35fe.a2r.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ys24pq4l.ub5.ps1

                                                      Download File
                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      File Type:ASCII text, with no line terminators
                                                      Category:dropped
                                                      Size (bytes):60
                                                      Entropy (8bit):4.038920595031593
                                                      Encrypted:false
                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                      Malicious:false
                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                      C:\Users\user\AppData\Roaming\System User.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\Lr87y2w72r.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):80896
                                                      Entropy (8bit):5.96955963690912
                                                      Encrypted:false
                                                      SSDEEP:1536:MauM4aD9A9jSDgl4/JO9766Fkbn4pR6lMidHuDOw53rXn:oV4gl4/JO97662bnPLeOw53r3
                                                      MD5:7EF6D06098D77DC55BEDB7F332E21A22
                                                      SHA1:1C9B0799C852985D94C6287C7A311D431FDA2521
                                                      SHA-256:19B81AD404867D7E37BC180400713050F6A09EE2EA72328AA33ECB90B9BB1F38
                                                      SHA-512:23AE312678B8099351900CA4A156EB5B82A536E8A7DF56A90865AC258EE41AC08A0154BA465E18B2840723B79F54CAC1C2C109B2255A8449BAAFBF63E58CA32F
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: ditekSHen
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 76%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4..g.................2...........P... ...`....@.. ....................................@.................................hP..S....`............................................................................... ............... ..H............text....0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................P......H.......L`..........&.....................................................(....*.r...p*. E/..*..(....*.r%..p*. .=l.*.s.........s.........s.........s.........*.r...p*. S...*.r...p*. -...*.r...p*. *p{.*.r7..p*. J...*.r...p*. ..9.*..((...*.rO..p*. .7V.*.r...p*. .(T.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Q...*"(....+.*&(....&+.*.+5sc... .... .'..od...(,...~....-.(_...(Q...~....oe...&.-.*.rS..p*.r...p*. .x!.*.r...p*. ....*.rB..p*. ..e.*.r...p*.r...p*. .~Z.*.r...p*.r...p*.r'.

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):5.96955963690912
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Windows Screen Saver (13104/52) 0.07%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:Lr87y2w72r.exe
                                                      File size:80'896 bytes
                                                      MD5:7ef6d06098d77dc55bedb7f332e21a22
                                                      SHA1:1c9b0799c852985d94c6287c7a311d431fda2521
                                                      SHA256:19b81ad404867d7e37bc180400713050f6a09ee2ea72328aa33ecb90b9bb1f38
                                                      SHA512:23ae312678b8099351900ca4a156eb5b82a536e8a7df56a90865ac258ee41ac08a0154ba465e18b2840723b79f54cac1c2c109b2255a8449baafbf63e58ca32f
                                                      SSDEEP:1536:MauM4aD9A9jSDgl4/JO9766Fkbn4pR6lMidHuDOw53rXn:oV4gl4/JO97662bnPLeOw53r3
                                                      TLSH:71837D2C7BE64529F5FFAFB04DE13156DA3AB7136903851F20C9028B1723A89CD516FA
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4..g.................2...........P... ...`....@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:90cececece8e8eb0

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4150be
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0x67068334 [Wed Oct 9 13:20:52 2024 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x150680x53.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x4ce.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x130c40x13200e514e735a8a165117d180290e88b0d5dFalse0.610281352124183data6.035267676390804IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x160000x4ce0x600f94bfdf1ccaaaf2669a2f35a4b1947ddFalse0.3743489583333333data3.7256270261483264IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x180000xc0x2002785204d7bf512a883751aba6bc73dddFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_VERSION0x160a00x244data0.4724137931034483
                                                      RT_MANIFEST0x162e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-10-09T23:11:18.691168+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449764147.185.221.1829734TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 9, 2024 23:10:05.472664118 CEST4973080192.168.2.4208.95.112.1
                                                      Oct 9, 2024 23:10:05.477740049 CEST8049730208.95.112.1192.168.2.4
                                                      Oct 9, 2024 23:10:05.477838039 CEST4973080192.168.2.4208.95.112.1
                                                      Oct 9, 2024 23:10:05.478498936 CEST4973080192.168.2.4208.95.112.1
                                                      Oct 9, 2024 23:10:05.483411074 CEST8049730208.95.112.1192.168.2.4
                                                      Oct 9, 2024 23:10:05.948426008 CEST8049730208.95.112.1192.168.2.4
                                                      Oct 9, 2024 23:10:06.003424883 CEST4973080192.168.2.4208.95.112.1
                                                      Oct 9, 2024 23:10:46.727523088 CEST8049730208.95.112.1192.168.2.4
                                                      Oct 9, 2024 23:10:46.727628946 CEST4973080192.168.2.4208.95.112.1
                                                      Oct 9, 2024 23:11:05.112099886 CEST4976429734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:11:05.116939068 CEST2973449764147.185.221.18192.168.2.4
                                                      Oct 9, 2024 23:11:05.120125055 CEST4976429734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:11:05.158103943 CEST4976429734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:11:05.162998915 CEST2973449764147.185.221.18192.168.2.4
                                                      Oct 9, 2024 23:11:18.691168070 CEST4976429734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:11:18.696295023 CEST2973449764147.185.221.18192.168.2.4
                                                      Oct 9, 2024 23:11:26.487200022 CEST2973449764147.185.221.18192.168.2.4
                                                      Oct 9, 2024 23:11:26.487291098 CEST4976429734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:11:28.960727930 CEST4976429734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:11:28.962451935 CEST4987829734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:11:28.965712070 CEST2973449764147.185.221.18192.168.2.4
                                                      Oct 9, 2024 23:11:28.967637062 CEST2973449878147.185.221.18192.168.2.4
                                                      Oct 9, 2024 23:11:28.967724085 CEST4987829734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:11:29.545900106 CEST4987829734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:11:29.551042080 CEST2973449878147.185.221.18192.168.2.4
                                                      Oct 9, 2024 23:11:41.641781092 CEST4987829734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:11:41.647053003 CEST2973449878147.185.221.18192.168.2.4
                                                      Oct 9, 2024 23:11:45.955317020 CEST4973080192.168.2.4208.95.112.1
                                                      Oct 9, 2024 23:11:45.960531950 CEST8049730208.95.112.1192.168.2.4
                                                      Oct 9, 2024 23:11:50.364305973 CEST2973449878147.185.221.18192.168.2.4
                                                      Oct 9, 2024 23:11:50.364398003 CEST4987829734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:11:52.016681910 CEST4987829734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:11:52.017941952 CEST5000529734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:11:52.021863937 CEST2973449878147.185.221.18192.168.2.4
                                                      Oct 9, 2024 23:11:52.023025036 CEST2973450005147.185.221.18192.168.2.4
                                                      Oct 9, 2024 23:11:52.023127079 CEST5000529734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:11:52.055306911 CEST5000529734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:11:52.060676098 CEST2973450005147.185.221.18192.168.2.4
                                                      Oct 9, 2024 23:12:06.688739061 CEST5000529734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:12:06.694108963 CEST2973450005147.185.221.18192.168.2.4
                                                      Oct 9, 2024 23:12:09.188905954 CEST5000529734192.168.2.4147.185.221.18
                                                      Oct 9, 2024 23:12:09.194154978 CEST2973450005147.185.221.18192.168.2.4

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Oct 9, 2024 23:10:05.458570957 CEST5681153192.168.2.41.1.1.1
                                                      Oct 9, 2024 23:10:05.465769053 CEST53568111.1.1.1192.168.2.4

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Oct 9, 2024 23:10:05.458570957 CEST192.168.2.41.1.1.10x450dStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Oct 9, 2024 23:10:05.465769053 CEST1.1.1.1192.168.2.40x450dNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • ip-api.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.449730208.95.112.1802668C:\Users\user\Desktop\Lr87y2w72r.exe
                                                      TimestampBytes transferredDirectionData
                                                      Oct 9, 2024 23:10:05.478498936 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                      Host: ip-api.com
                                                      Connection: Keep-Alive
                                                      Oct 9, 2024 23:10:05.948426008 CEST175INHTTP/1.1 200 OK
                                                      Date: Wed, 09 Oct 2024 21:10:05 GMT
                                                      Content-Type: text/plain; charset=utf-8
                                                      Content-Length: 6
                                                      Access-Control-Allow-Origin: *
                                                      X-Ttl: 60
                                                      X-Rl: 44
                                                      Data Raw: 66 61 6c 73 65 0a
                                                      Data Ascii: false


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:17:10:01
                                                      Start date:09/10/2024
                                                      Path:C:\Users\user\Desktop\Lr87y2w72r.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\Desktop\Lr87y2w72r.exe"
                                                      Imagebase:0x680000
                                                      File size:80'896 bytes
                                                      MD5 hash:7EF6D06098D77DC55BEDB7F332E21A22
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1663966596.0000000000682000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1663966596.0000000000682000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2922065201.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:1
                                                      Start time:17:10:05
                                                      Start date:09/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Lr87y2w72r.exe'
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:17:10:05
                                                      Start date:09/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:17:10:13
                                                      Start date:09/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Lr87y2w72r.exe'
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:17:10:13
                                                      Start date:09/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:9
                                                      Start time:17:10:26
                                                      Start date:09/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:10
                                                      Start time:17:10:26
                                                      Start date:09/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:11
                                                      Start time:17:10:42
                                                      Start date:09/10/2024
                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'
                                                      Imagebase:0x7ff788560000
                                                      File size:452'608 bytes
                                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:12
                                                      Start time:17:10:42
                                                      Start date:09/10/2024
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7699e0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:13
                                                      Start time:17:11:16
                                                      Start date:09/10/2024
                                                      Path:C:\Users\user\AppData\Roaming\System User.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                      Imagebase:0x2f0000
                                                      File size:80'896 bytes
                                                      MD5 hash:7EF6D06098D77DC55BEDB7F332E21A22
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: ditekSHen
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 76%, ReversingLabs
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:15
                                                      Start time:17:11:24
                                                      Start date:09/10/2024
                                                      Path:C:\Users\user\AppData\Roaming\System User.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                      Imagebase:0x2c0000
                                                      File size:80'896 bytes
                                                      MD5 hash:7EF6D06098D77DC55BEDB7F332E21A22
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low
                                                      Has exited:true

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:25.3%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:27.3%
                                                        Total number of Nodes:11
                                                        Total number of Limit Nodes:0
                                                        execution_graph 4640 7ffd9b80935d 4641 7ffd9b80931b 4640->4641 4642 7ffd9b809362 4640->4642 4642->4641 4643 7ffd9b809402 RtlSetProcessIsCritical 4642->4643 4644 7ffd9b809462 4643->4644 4645 7ffd9b8098a8 4647 7ffd9b8098b1 SetWindowsHookExW 4645->4647 4648 7ffd9b809981 4647->4648 4649 7ffd9b807581 4650 7ffd9b8075ce CheckRemoteDebuggerPresent 4649->4650 4652 7ffd9b80763f 4650->4652

                                                        Executed Functions

                                                        Function 00007FFD9B807581 Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 153 7ffd9b807581-7ffd9b80763d CheckRemoteDebuggerPresent 156 7ffd9b807645-7ffd9b807688 153->156 157 7ffd9b80763f 153->157 157->156
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2937869016.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_Lr87y2w72r.jbxd
                                                        Similarity
                                                        • API ID: CheckDebuggerPresentRemote
                                                        • String ID:
                                                        • API String ID: 3662101638-0
                                                        • Opcode ID: eaa5c4de4d396b9ab8872d80e89b1f06a300b4c5eb89aa8529a2d325ea9bace7
                                                        • Instruction ID: ad1f54da053af4c7eecec52a8efc3c148b7ee36f6232e4eca27aa68c9aff2fba
                                                        • Opcode Fuzzy Hash: eaa5c4de4d396b9ab8872d80e89b1f06a300b4c5eb89aa8529a2d325ea9bace7
                                                        • Instruction Fuzzy Hash: BD31E33190875C8FCB58DF58C88ABE97BE0EF65311F0542AED489D7292DB34A846CB91
                                                        Function 00007FFD9B805BC6 Relevance: .5, Instructions: 470COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 505 7ffd9b805bc6-7ffd9b805bd3 506 7ffd9b805bd5-7ffd9b805bdd 505->506 507 7ffd9b805bde-7ffd9b805ca7 505->507 506->507 511 7ffd9b805ca9-7ffd9b805cb2 507->511 512 7ffd9b805d13 507->512 511->512 514 7ffd9b805cb4-7ffd9b805cc0 511->514 513 7ffd9b805d15-7ffd9b805d3a 512->513 520 7ffd9b805d3c-7ffd9b805d45 513->520 521 7ffd9b805da6 513->521 515 7ffd9b805cf9-7ffd9b805d11 514->515 516 7ffd9b805cc2-7ffd9b805cd4 514->516 515->513 518 7ffd9b805cd8-7ffd9b805ceb 516->518 519 7ffd9b805cd6 516->519 518->518 522 7ffd9b805ced-7ffd9b805cf5 518->522 519->518 520->521 523 7ffd9b805d47-7ffd9b805d53 520->523 524 7ffd9b805da8-7ffd9b805e50 521->524 522->515 525 7ffd9b805d8c-7ffd9b805da4 523->525 526 7ffd9b805d55-7ffd9b805d67 523->526 535 7ffd9b805e52-7ffd9b805e5c 524->535 536 7ffd9b805ebe 524->536 525->524 527 7ffd9b805d6b-7ffd9b805d7e 526->527 528 7ffd9b805d69 526->528 527->527 531 7ffd9b805d80-7ffd9b805d88 527->531 528->527 531->525 535->536 537 7ffd9b805e5e-7ffd9b805e6b 535->537 538 7ffd9b805ec0-7ffd9b805ee9 536->538 539 7ffd9b805ea4-7ffd9b805ebc 537->539 540 7ffd9b805e6d-7ffd9b805e7f 537->540 544 7ffd9b805eeb-7ffd9b805ef6 538->544 545 7ffd9b805f53 538->545 539->538 542 7ffd9b805e83-7ffd9b805e96 540->542 543 7ffd9b805e81 540->543 542->542 546 7ffd9b805e98-7ffd9b805ea0 542->546 543->542 544->545 547 7ffd9b805ef8-7ffd9b805f06 544->547 548 7ffd9b805f55-7ffd9b805fe6 545->548 546->539 549 7ffd9b805f08-7ffd9b805f1a 547->549 550 7ffd9b805f3f-7ffd9b805f51 547->550 556 7ffd9b805fec-7ffd9b805ffb 548->556 551 7ffd9b805f1c 549->551 552 7ffd9b805f1e-7ffd9b805f31 549->552 550->548 551->552 552->552 554 7ffd9b805f33-7ffd9b805f3b 552->554 554->550 557 7ffd9b806003-7ffd9b806068 call 7ffd9b806084 556->557 558 7ffd9b805ffd 556->558 565 7ffd9b80606a 557->565 566 7ffd9b80606f-7ffd9b806083 557->566 558->557 565->566
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2937869016.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_Lr87y2w72r.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b1e17294918cafcaa42d43f1d951af244bb9a945fbeeb3f289bd21447f0e70bd
                                                        • Instruction ID: 8e53030a25fc921d0c65f457c677cd6b721aabb05a2df1ae5b638ecb96424edc
                                                        • Opcode Fuzzy Hash: b1e17294918cafcaa42d43f1d951af244bb9a945fbeeb3f289bd21447f0e70bd
                                                        • Instruction Fuzzy Hash: 28F1C730A19A8D8FEBB8DF28C8557E977D1FF58350F04426EE84DC7295CB34A9458B81
                                                        Function 00007FFD9B806972 Relevance: .5, Instructions: 456COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 567 7ffd9b806972-7ffd9b80697f 568 7ffd9b80698a-7ffd9b806a57 567->568 569 7ffd9b806981-7ffd9b806989 567->569 573 7ffd9b806a59-7ffd9b806a62 568->573 574 7ffd9b806ac3 568->574 569->568 573->574 575 7ffd9b806a64-7ffd9b806a70 573->575 576 7ffd9b806ac5-7ffd9b806aea 574->576 577 7ffd9b806aa9-7ffd9b806ac1 575->577 578 7ffd9b806a72-7ffd9b806a84 575->578 583 7ffd9b806aec-7ffd9b806af5 576->583 584 7ffd9b806b56 576->584 577->576 579 7ffd9b806a88-7ffd9b806a9b 578->579 580 7ffd9b806a86 578->580 579->579 582 7ffd9b806a9d-7ffd9b806aa5 579->582 580->579 582->577 583->584 586 7ffd9b806af7-7ffd9b806b03 583->586 585 7ffd9b806b58-7ffd9b806b7d 584->585 593 7ffd9b806beb 585->593 594 7ffd9b806b7f-7ffd9b806b89 585->594 587 7ffd9b806b3c-7ffd9b806b54 586->587 588 7ffd9b806b05-7ffd9b806b17 586->588 587->585 589 7ffd9b806b1b-7ffd9b806b2e 588->589 590 7ffd9b806b19 588->590 589->589 592 7ffd9b806b30-7ffd9b806b38 589->592 590->589 592->587 595 7ffd9b806bed-7ffd9b806c1b 593->595 594->593 596 7ffd9b806b8b-7ffd9b806b98 594->596 602 7ffd9b806c8b 595->602 603 7ffd9b806c1d-7ffd9b806c28 595->603 597 7ffd9b806b9a-7ffd9b806bac 596->597 598 7ffd9b806bd1-7ffd9b806be9 596->598 600 7ffd9b806bb0-7ffd9b806bc3 597->600 601 7ffd9b806bae 597->601 598->595 600->600 604 7ffd9b806bc5-7ffd9b806bcd 600->604 601->600 606 7ffd9b806c8d-7ffd9b806d65 602->606 603->602 605 7ffd9b806c2a-7ffd9b806c38 603->605 604->598 607 7ffd9b806c3a-7ffd9b806c4c 605->607 608 7ffd9b806c71-7ffd9b806c89 605->608 616 7ffd9b806d6b-7ffd9b806d7a 606->616 609 7ffd9b806c50-7ffd9b806c63 607->609 610 7ffd9b806c4e 607->610 608->606 609->609 612 7ffd9b806c65-7ffd9b806c6d 609->612 610->609 612->608 617 7ffd9b806d7c 616->617 618 7ffd9b806d82-7ffd9b806de4 call 7ffd9b806e00 616->618 617->618 625 7ffd9b806deb-7ffd9b806dff 618->625 626 7ffd9b806de6 618->626 626->625
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2937869016.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_Lr87y2w72r.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7b684340e87715d9cf021bcec87cd2ceeda1b0ae1a5cd7babffd75531299de50
                                                        • Instruction ID: 3de446bdc789c6214286fcb506d20585973c26a48d46f06d18b6ea16fb363830
                                                        • Opcode Fuzzy Hash: 7b684340e87715d9cf021bcec87cd2ceeda1b0ae1a5cd7babffd75531299de50
                                                        • Instruction Fuzzy Hash: 66E1E770A09A8E4FEBA8DF68C8657E977D1FF58350F04426ED84DC7291CF74A9448B81
                                                        Function 00007FFD9B80935D Relevance: 1.8, APIs: 1, Instructions: 342COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2937869016.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_Lr87y2w72r.jbxd
                                                        Similarity
                                                        • API ID: CriticalProcess
                                                        • String ID:
                                                        • API String ID: 2695349919-0
                                                        • Opcode ID: ee1e40387fa4d7359578489b22ff10e5ca17bb7716d5ff370059354a67ed795b
                                                        • Instruction ID: 8547c6fc3ad86b5a19d3158b89e8c2c095c3bf2fa2d2cf4367258b7036b417ec
                                                        • Opcode Fuzzy Hash: ee1e40387fa4d7359578489b22ff10e5ca17bb7716d5ff370059354a67ed795b
                                                        • Instruction Fuzzy Hash: EFB1E630A0CA4D8FDB58DB58D859BEDBBF0FF59310F1441AED49AD3296CA34A845CB81
                                                        Function 00007FFD9B8098A8 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2937869016.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_7ffd9b800000_Lr87y2w72r.jbxd
                                                        Similarity
                                                        • API ID: HookWindows
                                                        • String ID:
                                                        • API String ID: 2559412058-0
                                                        • Opcode ID: 9f06bf38bcbd04025355d6332af9587d7493bb343d2a75c8eb8d34e1902c38cd
                                                        • Instruction ID: 51ecd86c0f53960d068f9f135e1687a315bac8f149088a5cb794d958122afe1a
                                                        • Opcode Fuzzy Hash: 9f06bf38bcbd04025355d6332af9587d7493bb343d2a75c8eb8d34e1902c38cd
                                                        • Instruction Fuzzy Hash: 8D410831A1CA5C4FDB58DF6C985A6F9BBE1EF99321F00427ED059C3292CA75A812C7C1

                                                        Executed Functions

                                                        Function 00007FFD9B8D6605 Relevance: .4, Instructions: 437COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1785393453.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b8d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fe409090c467a6b2d4fc81742e4ca6e85bf4c7bfb8e50dd0ae3c011926281b3e
                                                        • Instruction ID: 8f4a0baeedff3457edf2ee87aac7a4adfe65f59fcdcdb4595dfca4beebf01eee
                                                        • Opcode Fuzzy Hash: fe409090c467a6b2d4fc81742e4ca6e85bf4c7bfb8e50dd0ae3c011926281b3e
                                                        • Instruction Fuzzy Hash: 93D14772B0FACE4FEB659BA848755B57BA1EF89210B0903FFD45CC70E3D918A8058341
                                                        Function 00007FFD9B809EF5 Relevance: .2, Instructions: 249COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1784034700.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b800000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 39ca1354bd4b58ff103cd71300d85a12ac05eff918ee6c81ec21711887675780
                                                        • Instruction ID: 10b70ba65fa66b07dc803774a2dad7da6dcf62dedcc0a03d6ad52fd8ec8b5799
                                                        • Opcode Fuzzy Hash: 39ca1354bd4b58ff103cd71300d85a12ac05eff918ee6c81ec21711887675780
                                                        • Instruction Fuzzy Hash: 0F711973A0F6DE5FEB22DB6C98754D93B70EF15698B0A01F7C4D48E0A3ED1466064382
                                                        Function 00007FFD9B809FE0 Relevance: .2, Instructions: 153COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1784034700.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b800000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1892a8022a8b9c59f9e1d8355556df2cc19b889189e752919dc6264241fc9adc
                                                        • Instruction ID: 640e52101920ce1133ee6f14d91fd31e8c489956ba609d6db8aa4c2cc97d50ca
                                                        • Opcode Fuzzy Hash: 1892a8022a8b9c59f9e1d8355556df2cc19b889189e752919dc6264241fc9adc
                                                        • Instruction Fuzzy Hash: A4411B63A0FACE5FE722CB784C654D53FA0EF16A84B0A41FBC0D48F0E3EA1465468381
                                                        Function 00007FFD9B809738 Relevance: .1, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1784034700.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b800000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f317ce302b986276d20b441135751185737997176929f4f5fbeb79dd48cdeb1a
                                                        • Instruction ID: f7ae67e99354ecf7bd85e9f93314fc6b9f3be0b949394e7ccceb000d8ea64426
                                                        • Opcode Fuzzy Hash: f317ce302b986276d20b441135751185737997176929f4f5fbeb79dd48cdeb1a
                                                        • Instruction Fuzzy Hash: CE41FA32A0DB4C8FDB589F5C985A6E977E1FF99310F40416FE48983292DB20B946C7C2
                                                        Function 00007FFD9B6EE380 Relevance: .1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1781115346.00007FFD9B6ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b6ed000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2e05e8a9c1645c7295fc7289e8b10c9984b3041dfdd887c45f34caa0f34882f2
                                                        • Instruction ID: 183bdcfb35d1814ccded591755392cbdf6abb52962e7e72a08cd6b02f5c02a4a
                                                        • Opcode Fuzzy Hash: 2e05e8a9c1645c7295fc7289e8b10c9984b3041dfdd887c45f34caa0f34882f2
                                                        • Instruction Fuzzy Hash: 7641157150EBC84FE7A68B2898559523FB0EF52320B1606EFD0C8CF1A7D625B846C792
                                                        Function 00007FFD9B80A71C Relevance: .1, Instructions: 119COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1784034700.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b800000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 67266866394ec882387d1497af43066f53ceef882c522076e9e3ca5edf107e70
                                                        • Instruction ID: 47e4d6bd540923d5f4f42efdea4a210bfd6fcaf4a6721e31df6d4f4f24586d4e
                                                        • Opcode Fuzzy Hash: 67266866394ec882387d1497af43066f53ceef882c522076e9e3ca5edf107e70
                                                        • Instruction Fuzzy Hash: D531FB3190DB8C5FDB55DBA898496E97FF0EF56320F0481AFD088C7163D674584ACB51
                                                        Function 00007FFD9B8033B5 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1784034700.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b800000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                        • Instruction ID: 2b13d53e025c2be8e90647bd55e6abaa926a26a99d8691448afac0a98a8ed019
                                                        • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                        • Instruction Fuzzy Hash: A001A73021CB0D4FD748EF0CE051AA6B3E0FF89360F10056DE58AC36A1DA32E882CB41
                                                        Function 00007FFD9B8D414D Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1785393453.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b8d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bbd739304f2adb21c75fc5ca23a0ce01a59ad6a1bc9a1afe1851de3855821f82
                                                        • Instruction ID: 35d88a4e07d1e94e17ec44fd99c2e40dac8263d1b54528619819a4c72affd21e
                                                        • Opcode Fuzzy Hash: bbd739304f2adb21c75fc5ca23a0ce01a59ad6a1bc9a1afe1851de3855821f82
                                                        • Instruction Fuzzy Hash: EBF09032B0D5094FDB68EB4CE45189473E0EF5932071501BBE06DC71B3CA25EC408740
                                                        Function 00007FFD9B8D4400 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1785393453.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b8d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f165ff80040a414cfa96e0a919bfb6f8236be3ae13e78658e6b7978e9c09b5cd
                                                        • Instruction ID: 273a93717a68e959e13f094b4fbbe92c575fabde60f8a7531c749842e7a187bc
                                                        • Opcode Fuzzy Hash: f165ff80040a414cfa96e0a919bfb6f8236be3ae13e78658e6b7978e9c09b5cd
                                                        • Instruction Fuzzy Hash: DAF0BE32A0E5498FDB64EB4CE0648A873E0FF4932070601BBE05DCB0A3DA25BC80C780
                                                        Function 00007FFD9B8D41D1 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1785393453.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b8d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction ID: 7088ed3d6d6b9d5ea87a478394cc45f134a04600c237e2e00915a735f27c0c4b
                                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction Fuzzy Hash: 07E01A31B0C8089FDB78DB4CE0519A973E1EB98331B1602BBD14EC7571CA22ED518B80

                                                        Non-executed Functions

                                                        Function 00007FFD9B808BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000001.00000002.1784034700.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_1_2_7ffd9b800000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: K_^4$K_^7$K_^F$K_^J
                                                        • API String ID: 0-377281160
                                                        • Opcode ID: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                                        • Instruction ID: 9d309066f7feec984ecd3bd4730bca1830a416a0825308ca437a89f333535588
                                                        • Opcode Fuzzy Hash: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                                        • Instruction Fuzzy Hash: AE21297BB085655ED705BB7CB8189DD3BA0CF9827935642F3D0A9CB093ED14708786C0

                                                        Executed Functions

                                                        Function 00007FFD9B8C6605 Relevance: .4, Instructions: 441COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1913333805.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b8c0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fd21e184206a97605d164138a4bfb76aadfb299d888a45a26a13542a81744c77
                                                        • Instruction ID: 1e891105826528d84dc6ebb82be63c490ed82e702f2d66598bb3f160c96f77fb
                                                        • Opcode Fuzzy Hash: fd21e184206a97605d164138a4bfb76aadfb299d888a45a26a13542a81744c77
                                                        • Instruction Fuzzy Hash: F3D147B2B0FA8E4FEB65AB6888745B57BA0EF69314B1901FFD45CC70E3D918A905C341
                                                        Function 00007FFD9B7F9750 Relevance: .1, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1912701393.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d2bef88a42460b65a7605fc603a8c576a140aabd0771fa90b75c17a420918ad5
                                                        • Instruction ID: ab66881e17706c433e9d943a904a639c1e558348a4e868952acdd66e58485798
                                                        • Opcode Fuzzy Hash: d2bef88a42460b65a7605fc603a8c576a140aabd0771fa90b75c17a420918ad5
                                                        • Instruction Fuzzy Hash: 33415B31A0DB884FDB18DF6C9C0A6B87FE0FB55710F04426FD09993193CA20A905CBC6
                                                        Function 00007FFD9B6DEE20 Relevance: .1, Instructions: 128COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1912113172.00007FFD9B6DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6DD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b6dd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e139c3b0b8f4c4353188c223881b0e15d7c64837943e02a51b1a8b95c0095f1d
                                                        • Instruction ID: 882b3d56abdcfd40baa6e16316e25da625bcc768af762cfcaa28adcfe60e4525
                                                        • Opcode Fuzzy Hash: e139c3b0b8f4c4353188c223881b0e15d7c64837943e02a51b1a8b95c0095f1d
                                                        • Instruction Fuzzy Hash: F541057150EBC84FE7669B299C519523FF0EF52320B1A06EFD088CB1A3D625A846C792
                                                        Function 00007FFD9B7FA49C Relevance: .1, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1912701393.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 69af30d13534e6d3fcbc346695318f997dc7f42f65e2deddfb7337fa3faecc78
                                                        • Instruction ID: 41ae013e9393c8ded9f96130de276f7975b17e2767fef1442dfe24a444b7956b
                                                        • Opcode Fuzzy Hash: 69af30d13534e6d3fcbc346695318f997dc7f42f65e2deddfb7337fa3faecc78
                                                        • Instruction Fuzzy Hash: 8121F831A0CB4C4FDB59DBAC984A7E97FF0EB96321F04426FD449C3162D674A816CB92
                                                        Function 00007FFD9B7F33B5 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1912701393.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                        • Instruction ID: f015c6d8f1291ae9f9a84129c24d6f916cfece872e45c549876b83854877da12
                                                        • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                        • Instruction Fuzzy Hash: D001A73020CB0C4FD748EF0CE051AA5B7E0FF85360F10056DE58AC36A1DA32E882CB45
                                                        Function 00007FFD9B7FA0FB Relevance: .0, Instructions: 41COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1912701393.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bb1f6cd3daa3d7e381d4f5350efa31c82df4448841c77012aa578d8e76fe5637
                                                        • Instruction ID: b4eb87e32acabdbeddb465b8adedf0a86f61234b25e0ab8f89582c9d627b2a4f
                                                        • Opcode Fuzzy Hash: bb1f6cd3daa3d7e381d4f5350efa31c82df4448841c77012aa578d8e76fe5637
                                                        • Instruction Fuzzy Hash: 6DF0F636A09B8C4FDB51DF6C98690E57FB0FF66211B0601ABD448C7071DA615A48C7C2
                                                        Function 00007FFD9B8C414D Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1913333805.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b8c0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 34f0b6fd2eac7a139f3a2e79696c626e4fce49e3ed08d0a52e25fce513fc9b67
                                                        • Instruction ID: 40277f06f6bfad94709ab727ddca0159e156ec25e686d22428e4edf40cf004b7
                                                        • Opcode Fuzzy Hash: 34f0b6fd2eac7a139f3a2e79696c626e4fce49e3ed08d0a52e25fce513fc9b67
                                                        • Instruction Fuzzy Hash: 18F03A72B0E5498FD769EB5CE4518A873E0EF5932071A00BBE1ADC75B7DA25EC81C740
                                                        Function 00007FFD9B8C4400 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1913333805.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b8c0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1c9d01475077eb56fb495711a00b000bfe71ebd68553ff63d53bd0a6d100c56f
                                                        • Instruction ID: db321727d61d726b1a500bfc178e059f95f7e9a0ad87cd145831165e524c1636
                                                        • Opcode Fuzzy Hash: 1c9d01475077eb56fb495711a00b000bfe71ebd68553ff63d53bd0a6d100c56f
                                                        • Instruction Fuzzy Hash: B1F05E72A0E5498FDB64EB5CE4618A877E0FF4932475A00BBE159CB4A3DA25EC80C750
                                                        Function 00007FFD9B8C41D1 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1913333805.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b8c0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction ID: 19611bf992d818319ffca05ef679498bf87821be3afbc0c8495d4bacff4bf068
                                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction Fuzzy Hash: DCE0E531B0C8088FDA78EB4CE0519A973E1EB9832171611ABD18EC7562CA22ED918B80

                                                        Non-executed Functions

                                                        Function 00007FFD9B7F8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000004.00000002.1912701393.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_4_2_7ffd9b7f0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                                                        • API String ID: 0-1415242001
                                                        • Opcode ID: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
                                                        • Instruction ID: 5b0f0ffdca4837652bc60ddd97d90ba67422c37f847383f660ca20f0ea594403
                                                        • Opcode Fuzzy Hash: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
                                                        • Instruction Fuzzy Hash: 86213477B045554AC30677ACB8469ED3790DF84379356A2F3E228CF093CF24A48B8A80

                                                        Executed Functions

                                                        Function 00007FFD9B80644D Relevance: .7, Instructions: 717COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2067365513.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_7ffd9b800000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0fa1cd7b774471471dbd2b519f33db418d16359fd1f5499f3a663b4137aa1d32
                                                        • Instruction ID: 96e82bc80a541169396669916723ddaf68569ea1ec101214746dd44ed9e370e9
                                                        • Opcode Fuzzy Hash: 0fa1cd7b774471471dbd2b519f33db418d16359fd1f5499f3a663b4137aa1d32
                                                        • Instruction Fuzzy Hash: D8D1A170A08A4D8FDF94EF58C465AED7BE1FF68340F1541AAD44DD72A6CA34E841CB81
                                                        Function 00007FFD9B8D6605 Relevance: .4, Instructions: 440COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2068148628.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_7ffd9b8d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 9a8dabef22697c97ebef884c8b9a214d4526b022d7659d07c86fbfa788384ffe
                                                        • Instruction ID: acb6ff8c7352fe25a32f9ed099d1ffa5b07039e9dc343378f02661726c08c433
                                                        • Opcode Fuzzy Hash: 9a8dabef22697c97ebef884c8b9a214d4526b022d7659d07c86fbfa788384ffe
                                                        • Instruction Fuzzy Hash: 68D13672B0FACE4FEB659B6888655B57BA0EF9A214B0903FFD45CC70E3D918A905C341
                                                        Function 00007FFD9B809FF3 Relevance: .1, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2067365513.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_7ffd9b800000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b1c2c1f0520a45853a8e3e59dacc58a6bc93d5946ccf9d9ef777fed8208c438d
                                                        • Instruction ID: 5796bb024108df3f066398057c0721dcef4ac15d0c635df226a4b115434dff4d
                                                        • Opcode Fuzzy Hash: b1c2c1f0520a45853a8e3e59dacc58a6bc93d5946ccf9d9ef777fed8208c438d
                                                        • Instruction Fuzzy Hash: A2415D37E0F6DE5FEB619B9C98B64D43BA0FF55769B0942B3C0D88A063FD1425864341
                                                        Function 00007FFD9B809728 Relevance: .1, Instructions: 144COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2067365513.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_7ffd9b800000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 26123780e5095e12ce855b5b0505e5b05c58c9c9f3cd68363a186235678d3d55
                                                        • Instruction ID: 2d94631b25342f4b66092798115131cb3a32ed228c4b3a925519c555936b797c
                                                        • Opcode Fuzzy Hash: 26123780e5095e12ce855b5b0505e5b05c58c9c9f3cd68363a186235678d3d55
                                                        • Instruction Fuzzy Hash: AA411F72A0DB8C8FDB589F5C981A6E97BE0FF99310F44416FE48983252DA30B91587C2
                                                        Function 00007FFD9B6EEE20 Relevance: .1, Instructions: 130COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2066435009.00007FFD9B6ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_7ffd9b6ed000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 10817eaec9ace1ab73b8adec3f4b94ab97dd5ac361dde7d7591ec864e533b586
                                                        • Instruction ID: f88422cd2179f5fa7e4542a2b4660ac7ed4d4e0f3756ab4d8dbfe396e2038a6d
                                                        • Opcode Fuzzy Hash: 10817eaec9ace1ab73b8adec3f4b94ab97dd5ac361dde7d7591ec864e533b586
                                                        • Instruction Fuzzy Hash: D841167140EBC44FE7568B3898559523FF0EF52320B1605EFD0D8CB5A3D625A846C792
                                                        Function 00007FFD9B80A47C Relevance: .1, Instructions: 104COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2067365513.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_7ffd9b800000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 70cf2f032f82977f84dfe706a91feeb5b9ee5641142f7737ee691f2655c33e49
                                                        • Instruction ID: d93cdb41c01defb53b763e25d1ba8c24580607319d61040b0e26ae4f11ae9338
                                                        • Opcode Fuzzy Hash: 70cf2f032f82977f84dfe706a91feeb5b9ee5641142f7737ee691f2655c33e49
                                                        • Instruction Fuzzy Hash: 3F21283090CB4C4FDB19DBAC984A7E97FF0EB9A321F04426FD048C3162DA74A40ACB91
                                                        Function 00007FFD9B8033B5 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2067365513.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_7ffd9b800000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                        • Instruction ID: 2b13d53e025c2be8e90647bd55e6abaa926a26a99d8691448afac0a98a8ed019
                                                        • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                        • Instruction Fuzzy Hash: A001A73021CB0D4FD748EF0CE051AA6B3E0FF89360F10056DE58AC36A1DA32E882CB41
                                                        Function 00007FFD9B8D414D Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2068148628.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_7ffd9b8d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 880c924df4c57218b173242feb30aebd111f6bd87284b29f498435c9cb28245c
                                                        • Instruction ID: 2bd6890e1b48a57eed30bf9b853d131c92af5c1c9ff5a0ef32523b54d2f7ef8e
                                                        • Opcode Fuzzy Hash: 880c924df4c57218b173242feb30aebd111f6bd87284b29f498435c9cb28245c
                                                        • Instruction Fuzzy Hash: 0BF03A32B0E5498FDB69EB5CE4518A873E0EF99320B1A01BBE16DC75B7DA25EC418740
                                                        Function 00007FFD9B8D4400 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2068148628.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_7ffd9b8d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3feedd1cf549ed9e603061348b8442df0d317f6c1cad636896c0e3bd50853a98
                                                        • Instruction ID: 40b9abade2affbee2076c7629ef3db45aec7d9c68d2dec968d818b52e3b262f4
                                                        • Opcode Fuzzy Hash: 3feedd1cf549ed9e603061348b8442df0d317f6c1cad636896c0e3bd50853a98
                                                        • Instruction Fuzzy Hash: 7EF0BE32A0E5498FDB64EB4CE0648A873E0FF4932071601BBE059CB0A3DA25AC80C740
                                                        Function 00007FFD9B8D41D1 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2068148628.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_7ffd9b8d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction ID: 7088ed3d6d6b9d5ea87a478394cc45f134a04600c237e2e00915a735f27c0c4b
                                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction Fuzzy Hash: 07E01A31B0C8089FDB78DB4CE0519A973E1EB98331B1602BBD14EC7571CA22ED518B80

                                                        Non-executed Functions

                                                        Function 00007FFD9B808BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2067365513.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_7ffd9b800000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: K_^6$K_^<$K_^F$K_^I$K_^J
                                                        • API String ID: 0-3659583007
                                                        • Opcode ID: aae86510c97342b91e5b7987ea86d4b68e54f7060d24c05b9a8b5cc9cc80475a
                                                        • Instruction ID: 02a23a2c2b0ccf6e5f7601864f6e23674672e788ec8c3823ac6d84d91a9af177
                                                        • Opcode Fuzzy Hash: aae86510c97342b91e5b7987ea86d4b68e54f7060d24c05b9a8b5cc9cc80475a
                                                        • Instruction Fuzzy Hash: 1D21687BB084562FDB05B7ADB8049DC77A0DBD42BA34982F3D268CF543DD14A08786C0
                                                        Function 00007FFD9B808995 Relevance: 5.1, Strings: 4, Instructions: 134COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000009.00000002.2067365513.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_9_2_7ffd9b800000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: K_^$K_^$K_^$K_^
                                                        • API String ID: 0-4267328068
                                                        • Opcode ID: b9fa19059316f88660e5bcdad30bc41b01143d497610020f79a6c7b55c0f9f64
                                                        • Instruction ID: b24b36b796d7abe42f0988fd90ed433c7fbb954111fcaee42f40961687f5364c
                                                        • Opcode Fuzzy Hash: b9fa19059316f88660e5bcdad30bc41b01143d497610020f79a6c7b55c0f9f64
                                                        • Instruction Fuzzy Hash: 7F418363A0F6C61FFB6647694C690857FA0FF5679870A02F7C0D48B4A3ED1869878312

                                                        Executed Functions

                                                        Function 00007FFD9B8A6605 Relevance: 1.7, Strings: 1, Instructions: 447COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2276340567.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: X7#k
                                                        • API String ID: 0-1779483893
                                                        • Opcode ID: 98e60ea999867b306152db81c6af1966ac63193c94af23cfc631d7ce8fc59355
                                                        • Instruction ID: d63ce0d3351cd275fa81eb81326118a875e1ba87d87d7d95f80eb16476a887b4
                                                        • Opcode Fuzzy Hash: 98e60ea999867b306152db81c6af1966ac63193c94af23cfc631d7ce8fc59355
                                                        • Instruction Fuzzy Hash: 0AD168B2B0FACE4FEB65DB6848645B5BBA0EF1A314B0901FED45CC70EBD918A905C351
                                                        Function 00007FFD9B7D644D Relevance: .7, Instructions: 715COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2275018719.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ffd9b7d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e45a36716b894b56d55fe6a2c2f9ae97737f8b3263fe10915ec345b9143c6ddf
                                                        • Instruction ID: b56b85e0e50233f3145f057cc430edb20f24522280d66343d16059d64333cb7c
                                                        • Opcode Fuzzy Hash: e45a36716b894b56d55fe6a2c2f9ae97737f8b3263fe10915ec345b9143c6ddf
                                                        • Instruction Fuzzy Hash: 32D19030A08A4D8FDF94DF58C465AE9BBE1FFA8340F15426AD44DD72A5CB34E885CB81
                                                        Function 00007FFD9B7DA3AC Relevance: .3, Instructions: 293COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2275018719.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ffd9b7d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 07cd277bdac72eb1bffd767149a5c195a648a6cbfb1ebaefaa9629cc766f2511
                                                        • Instruction ID: 97e0d611efb9d17a2fb93feebf182ccd8cb66de727b41788ae65c54517c095ad
                                                        • Opcode Fuzzy Hash: 07cd277bdac72eb1bffd767149a5c195a648a6cbfb1ebaefaa9629cc766f2511
                                                        • Instruction Fuzzy Hash: 5F815D31A0DB4C4FDB59DB6C98456E97FE0FB96321F04436FD049C32A2DA74A84AC791
                                                        Function 00007FFD9B7D9750 Relevance: .1, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2275018719.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ffd9b7d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 3f682993595bfb8ac7f9082757c2f3f60b2ffbd902cf858ca025a9d89c374c70
                                                        • Instruction ID: b1e36997b220b7c7d276475090e4d55df3e9a824aa7b570080d12274955a4164
                                                        • Opcode Fuzzy Hash: 3f682993595bfb8ac7f9082757c2f3f60b2ffbd902cf858ca025a9d89c374c70
                                                        • Instruction Fuzzy Hash: F1412D7190DB884FDB58DF5C9C196B9BFE0FB95310F04426FD09983292D660B915CBC2
                                                        Function 00007FFD9B6BEF00 Relevance: .1, Instructions: 131COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2273663038.00007FFD9B6BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6BD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ffd9b6bd000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0ebde4f065e6c81c4f04b316d55a4f969dc349b8a4b9404c7550577a4b160fed
                                                        • Instruction ID: 504e1ffa83ca26107cec81cad663da5dd1c8f2384274db7fcd5e74a99707e178
                                                        • Opcode Fuzzy Hash: 0ebde4f065e6c81c4f04b316d55a4f969dc349b8a4b9404c7550577a4b160fed
                                                        • Instruction Fuzzy Hash: AD41247140EBC44FE7668B2898559523FF4EF53320B0A05DFD088CF1A3D629A846CBA2
                                                        Function 00007FFD9B7D33B5 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2275018719.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ffd9b7d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 672cddce3b61fd07d14acf0d5ff0c6c5c9905a2842d53f114a6d1ab46604d338
                                                        • Instruction ID: 7d18de3127f3f1dd01fd625624dbb9d3bcbd9e505403495affb5961ee0d50b6a
                                                        • Opcode Fuzzy Hash: 672cddce3b61fd07d14acf0d5ff0c6c5c9905a2842d53f114a6d1ab46604d338
                                                        • Instruction Fuzzy Hash: 4D01A73020CB0C4FD748EF0CE051AA5B3E0FB85360F10066DE58AC36A1DA32E882CB41
                                                        Function 00007FFD9B8A414D Relevance: .0, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2276340567.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 34c4fb9d294938c82691e40d6b384e2be4deacc55872c278f004643f5f74a914
                                                        • Instruction ID: 7a920c6a78508ecf3fe158b07b7520b35714d043d9105d87de9924d3e78cafe3
                                                        • Opcode Fuzzy Hash: 34c4fb9d294938c82691e40d6b384e2be4deacc55872c278f004643f5f74a914
                                                        • Instruction Fuzzy Hash: E5F0BE32B0E5098FDB69EB4CE4518E877E0EF5932071600BAE06DC71B3CA25EC40C750
                                                        Function 00007FFD9B8A4400 Relevance: .0, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2276340567.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 01b154888f1f3c206bef50cf5dbecda22f418d2fdf3839bb6fa6f4990536d6b1
                                                        • Instruction ID: 1f354017840d6882573ded6a0db231f695f0edbf2db0444fded3e25b8369ca49
                                                        • Opcode Fuzzy Hash: 01b154888f1f3c206bef50cf5dbecda22f418d2fdf3839bb6fa6f4990536d6b1
                                                        • Instruction Fuzzy Hash: C5F05E32A0F5498FDB65EB5CE4618A877E0FF4932475600BAE159CB5A3DA29BC40C750
                                                        Function 00007FFD9B8A41D1 Relevance: .0, Instructions: 29COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2276340567.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction ID: 09323d83657ad24737761ed45f903d87c673e9f131c1b1bb4a609df375895b1c
                                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                        • Instruction Fuzzy Hash: D7E01A31B0C8088FDA78DB4CE0519A977E1EBA832171601BBD14EC7571CA22ED518B90

                                                        Non-executed Functions

                                                        Function 00007FFD9B7D8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000B.00000002.2275018719.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_11_2_7ffd9b7d0000_powershell.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                        • API String ID: 0-2388461625
                                                        • Opcode ID: 7959796a6efa27bb12a4a83c60ee5b24464ff5ed1155e8aca15a40dbec180913
                                                        • Instruction ID: 79cce54cdb1bb4ab17fa38f3220a3fc588b67c58b22875dadc209c7226430fe4
                                                        • Opcode Fuzzy Hash: 7959796a6efa27bb12a4a83c60ee5b24464ff5ed1155e8aca15a40dbec180913
                                                        • Instruction Fuzzy Hash: 29212277E085614AC30677BCBD659DC2B91DB9437935A42F3E228CF193CD24A48B8682

                                                        Executed Functions

                                                        Function 00007FFD9B7E0AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2453624874.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b7e0000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 9N_^
                                                        • API String ID: 0-1737749909
                                                        • Opcode ID: 9b0a35ef91b49ff0cc1a8d06960fa4e9da33de07385e429d182c58f637a76a7c
                                                        • Instruction ID: 1f4a9d89bcf1fb05e3ec0f6e87fd17d1ed646deb446935d3598476267710cfdf
                                                        • Opcode Fuzzy Hash: 9b0a35ef91b49ff0cc1a8d06960fa4e9da33de07385e429d182c58f637a76a7c
                                                        • Instruction Fuzzy Hash: 14617B2AF096AA4BE704B7BCB466AEC7BB1EFC4329B1545B6D05DC71E7CD24644283C0
                                                        Function 00007FFD9B7E0E8E Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2453624874.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b7e0000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4N_^
                                                        • API String ID: 0-2516135240
                                                        • Opcode ID: 64a816fbd45b6d8b3d6312e111dffea62e6a4edcfdd4265b41e447e14a36cea7
                                                        • Instruction ID: d1029491ceff5418204005a0f922669210586f1eeb7631b4aca10d52a7c51528
                                                        • Opcode Fuzzy Hash: 64a816fbd45b6d8b3d6312e111dffea62e6a4edcfdd4265b41e447e14a36cea7
                                                        • Instruction Fuzzy Hash: 4F512921B0D6CA0FE356A7785866AB93FE1DF8622474941FBD08DCB1E7DC1C5C468352
                                                        Function 00007FFD9B7E07D3 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2453624874.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b7e0000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: <N_^
                                                        • API String ID: 0-1347224999
                                                        • Opcode ID: ddc902c51efd3b163374312e9dcc3a1d8504bbfbbaa4bbe4a8d1f6a4f435af50
                                                        • Instruction ID: a21715917f2ef569d91bc0d3cd86868cbbc9fb66fbbf7fb87067c882a41201ef
                                                        • Opcode Fuzzy Hash: ddc902c51efd3b163374312e9dcc3a1d8504bbfbbaa4bbe4a8d1f6a4f435af50
                                                        • Instruction Fuzzy Hash: F241263AA096DA0FD705F768A4759EC7FB0AF81218B6544F6D05CCB2DBCD28A405C381
                                                        Function 00007FFD9B7E1719 Relevance: .4, Instructions: 379COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2453624874.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b7e0000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 83e297306466f60a9e34f10e7c60bd6954432b36e6a0c34444a4aadd07499082
                                                        • Instruction ID: 0d7bfdc9e46b28eb297c89bea6297405e4c0b476301c0d32a5da463bed558261
                                                        • Opcode Fuzzy Hash: 83e297306466f60a9e34f10e7c60bd6954432b36e6a0c34444a4aadd07499082
                                                        • Instruction Fuzzy Hash: CAC1DA71B19A8D0FEBA8F774847A6AD77E1FF98304B410579D04EC36F6DD28A9018780
                                                        Function 00007FFD9B7E0985 Relevance: .3, Instructions: 346COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2453624874.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b7e0000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 02087d24846294407e7950e3129dab6928662165642e07b2c0a2b2f7432788ee
                                                        • Instruction ID: 941bcdbaf6779d01877b51324dfdc9f2641fdaa397ea29b8ce7fb5816b082dad
                                                        • Opcode Fuzzy Hash: 02087d24846294407e7950e3129dab6928662165642e07b2c0a2b2f7432788ee
                                                        • Instruction Fuzzy Hash: 1DA1582BB08AA68BD704BBBCB8656ED7BA0EFC1336B1545B7C149CB1D3CD24644687C0
                                                        Function 00007FFD9B7E09D3 Relevance: .3, Instructions: 320COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2453624874.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b7e0000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 03d04f0c643ed20762ca4584883f0d12a764917fe6280d8b16779ef7fe671eb6
                                                        • Instruction ID: a5eaa174eba952b328711aa1928a7dfdd482da0fb0eeba4c8645c8352f9b2c7d
                                                        • Opcode Fuzzy Hash: 03d04f0c643ed20762ca4584883f0d12a764917fe6280d8b16779ef7fe671eb6
                                                        • Instruction Fuzzy Hash: F4915A2BB08AAA4BD704BB7CB8156ED7BA0EFC4336B1545B7C249CB1D7CD24644687D0
                                                        Function 00007FFD9B7E0A08 Relevance: .3, Instructions: 305COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2453624874.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b7e0000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a2e225dde60b4271f7da0810ea8384f5f77ed3cd1016dcfcbee0757250df6bda
                                                        • Instruction ID: e17c186a998916ad9b010707076f378dbff28ff83c33e1f2f900a17c09a500af
                                                        • Opcode Fuzzy Hash: a2e225dde60b4271f7da0810ea8384f5f77ed3cd1016dcfcbee0757250df6bda
                                                        • Instruction Fuzzy Hash: 9781592BB08AAA8BD704BB7CB8256ED7BA0EFC4336B1545B7C149CB1D7CD24644687C0
                                                        Function 00007FFD9B7E0A10 Relevance: .3, Instructions: 301COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2453624874.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b7e0000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6eaa659398a16b0112ccd539928f38dbaa4500fd70192ef8d337ef430682b869
                                                        • Instruction ID: b49c3fcae94c065280c0c0536d124a9a9d50eed4e3f706e488d23769001b7ad8
                                                        • Opcode Fuzzy Hash: 6eaa659398a16b0112ccd539928f38dbaa4500fd70192ef8d337ef430682b869
                                                        • Instruction Fuzzy Hash: 9D81492BB08A6A8AD704BB7CB8156ED7BA0EFC4336B1545B7C149CB1D7CD24644687C0
                                                        Function 00007FFD9B7E0A48 Relevance: .3, Instructions: 270COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2453624874.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b7e0000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cb0e7e054df5b3bcaad3397d5838858f8be2508598396db8115a73542ca844ab
                                                        • Instruction ID: 8d224e30df1a3a22da106a451c1357b24913c3f0b29eafa9cc3a016043a85e39
                                                        • Opcode Fuzzy Hash: cb0e7e054df5b3bcaad3397d5838858f8be2508598396db8115a73542ca844ab
                                                        • Instruction Fuzzy Hash: AA71573BB08AAA8AD704BB7CB8666ED7BA0EFC4326B1545B6D149C71D3CD246046C7C0
                                                        Function 00007FFD9B7E1C26 Relevance: .2, Instructions: 184COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2453624874.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b7e0000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b41674072d391b5ad8018346211f9913beaa6f25fa588efa36121f791282ecc6
                                                        • Instruction ID: 9b7820170b0d50d8a6dd3d9c9510527b25e78faec39519ac2b1d46832834b33e
                                                        • Opcode Fuzzy Hash: b41674072d391b5ad8018346211f9913beaa6f25fa588efa36121f791282ecc6
                                                        • Instruction Fuzzy Hash: E851D11070EBC90FE78A9B7858696A57FD2DF9A224B0901FBE08DCB1E7DD585C06C352
                                                        Function 00007FFD9B7E0778 Relevance: .2, Instructions: 154COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2453624874.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b7e0000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 28d23f635c675820cdfc861cc236d9cde3628d3b538f520d5cb302940731a650
                                                        • Instruction ID: e4ba5add5a7418080bf859f0c88ed93c33935018877494eaf5d88e13322e2995
                                                        • Opcode Fuzzy Hash: 28d23f635c675820cdfc861cc236d9cde3628d3b538f520d5cb302940731a650
                                                        • Instruction Fuzzy Hash: 30515626A0D6CA0FD705E77CA4759ED7FB0AF8160876644F6D098CB2EBCD286405C381
                                                        Function 00007FFD9B7E0638 Relevance: .1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2453624874.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b7e0000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e328ff641ad71e902568b893ac9958df4b6877cbaedeea9a3d0e1e9546d057fb
                                                        • Instruction ID: 061529914f902b23e55995fb46a7044146888342901c5ed628a6100a4e95454b
                                                        • Opcode Fuzzy Hash: e328ff641ad71e902568b893ac9958df4b6877cbaedeea9a3d0e1e9546d057fb
                                                        • Instruction Fuzzy Hash: 9D31D321B1C94D0FE798EF6C586A778B6C2EF98355F0505BAE04EC32E7DD64AC028341
                                                        Function 00007FFD9B7E0D21 Relevance: .1, Instructions: 125COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2453624874.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b7e0000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 059a0599697cfecc122b4c035d8678cf239a3d151c685e0d7a53dd7f6be69310
                                                        • Instruction ID: 0850f3eb9c04a2a0c616ad40f6352a5e7752ea899d12a35bb5804ab32147e419
                                                        • Opcode Fuzzy Hash: 059a0599697cfecc122b4c035d8678cf239a3d151c685e0d7a53dd7f6be69310
                                                        • Instruction Fuzzy Hash: C5312811F18A490FEB44BBBC586A7BD76D2EFD8710F0542BAE00DC32E7DD2868418382
                                                        Function 00007FFD9B7E0BD3 Relevance: .1, Instructions: 119COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2453624874.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b7e0000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a376858c871d095ca952ba65039dd28a309d39c2b318f760b86e2f962d0c0eee
                                                        • Instruction ID: dfb78b0a59473d35621c6a49e04a72a8a7a0d5d6a9c39243deac91b6cc59e3f0
                                                        • Opcode Fuzzy Hash: a376858c871d095ca952ba65039dd28a309d39c2b318f760b86e2f962d0c0eee
                                                        • Instruction Fuzzy Hash: A441D734B19A8E4FEB58EB689465AED7BB1FF98300F5105B5D019D32D6CD3869018781
                                                        Function 00007FFD9B7E1DC1 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000D.00000002.2453624874.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_13_2_7ffd9b7e0000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5e711a766dcb171afd1bb86278eccfea64d45f42c34bdb35a3b8dbaf760c9dca
                                                        • Instruction ID: 7b2636c8486dc99735b527dc72ab64edb749561d5f3d8139c3e6b1f837dd0610
                                                        • Opcode Fuzzy Hash: 5e711a766dcb171afd1bb86278eccfea64d45f42c34bdb35a3b8dbaf760c9dca
                                                        • Instruction Fuzzy Hash: 30012B55A0E7C50FE756A73818764757FE09F9220070905FAE884C65B7D9089A418382

                                                        Executed Functions

                                                        Function 00007FFD9B800AD3 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2543235143.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ffd9b800000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 9L_^
                                                        • API String ID: 0-1679237627
                                                        • Opcode ID: 3789cd491fb0dc6ec0740cf332048f5df429ef1aab3bb07bdb8c59a0b8da42cc
                                                        • Instruction ID: 6825de7218e4c9c92cd171e779418256a47b59a8d904292260aa3f2e391cb2b1
                                                        • Opcode Fuzzy Hash: 3789cd491fb0dc6ec0740cf332048f5df429ef1aab3bb07bdb8c59a0b8da42cc
                                                        • Instruction Fuzzy Hash: 3B61692AF1995E4AD704FBBCA4269FC37A1EFC8329B2545B6D05DC72D7CD28648683C0
                                                        Function 00007FFD9B800E8E Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2543235143.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ffd9b800000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 4L_^
                                                        • API String ID: 0-2524838182
                                                        • Opcode ID: 2cd7e6b8fcd02797000112a49f7b621aaec932fb6443dc3708116686aea82b8f
                                                        • Instruction ID: c0a721457116c6755a61499e89df718a6287d874769d2c0a70d2664827b3c9ce
                                                        • Opcode Fuzzy Hash: 2cd7e6b8fcd02797000112a49f7b621aaec932fb6443dc3708116686aea82b8f
                                                        • Instruction Fuzzy Hash: 28513A21B1D68A0FE356AB7858669F93BE1DF8A264B0940FBE08DC71E7DC0C5C428352
                                                        Function 00007FFD9B8007D3 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2543235143.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ffd9b800000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: <L_^
                                                        • API String ID: 0-1405735369
                                                        • Opcode ID: b1217e9b5471ab5dca470431778d2af9c7a54c22e9b0238f6e8aa58afea072ae
                                                        • Instruction ID: 701f64596a99831a3ca829ac3e677ab801f6eacf1515b14030713944c5911181
                                                        • Opcode Fuzzy Hash: b1217e9b5471ab5dca470431778d2af9c7a54c22e9b0238f6e8aa58afea072ae
                                                        • Instruction Fuzzy Hash: 4441143AB0968A4FD305FB68A4769EC7F70AF85218B5944FAD058CB2EBCD2868458341
                                                        Function 00007FFD9B801719 Relevance: .4, Instructions: 376COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2543235143.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ffd9b800000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 22ac48f59605ed9e5bceae1f717fdfd3fb40af1e76ea2c84cbffdd94778c936e
                                                        • Instruction ID: 950288f98b1c08fa191c80a182019c314af6d2821be984b5a5af1b7e8ebf63fb
                                                        • Opcode Fuzzy Hash: 22ac48f59605ed9e5bceae1f717fdfd3fb40af1e76ea2c84cbffdd94778c936e
                                                        • Instruction Fuzzy Hash: 73C19671B19A4E4FD7A8FB78847A6ED77A1FF89344F410479E04DC32E6DE2869418780
                                                        Function 00007FFD9B800985 Relevance: .3, Instructions: 339COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2543235143.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ffd9b800000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0639a4e802bba6b6fe60991d4d2438edbd3bceb44c72ed01ba17d1bc1580895e
                                                        • Instruction ID: 01d81a8bd4f000e07927a80bbfd907b513d176b3c13fb70dab89594b2730b65b
                                                        • Opcode Fuzzy Hash: 0639a4e802bba6b6fe60991d4d2438edbd3bceb44c72ed01ba17d1bc1580895e
                                                        • Instruction Fuzzy Hash: D5A1662BB0899A4AD705BBBCB8665FC3B60EFC6366B1541B7C149CB1D7CD24608AC7C1
                                                        Function 00007FFD9B8009D3 Relevance: .3, Instructions: 313COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2543235143.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ffd9b800000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7ff958572e2b7fa322f3710c52653d2b094e7b28df026a5d7021560cb2669dc6
                                                        • Instruction ID: eabd935f46c6ffd0c9bbd67f5fac94181b8fc703a179b49cbaf9835ba6434918
                                                        • Opcode Fuzzy Hash: 7ff958572e2b7fa322f3710c52653d2b094e7b28df026a5d7021560cb2669dc6
                                                        • Instruction Fuzzy Hash: A891542BB0895A4AD704BBBCB8265FD3B60EFC5366B1585B7C189CB1D7CD246086C7C1
                                                        Function 00007FFD9B800A08 Relevance: .3, Instructions: 297COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2543235143.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ffd9b800000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 92f3deca8c3716d8eb8afe1ccc85c4e80ba98e0b11432281ac9eaeb23b0a2ed2
                                                        • Instruction ID: e21c44e24e6591e70498a48ca1d75d6573ae6ae4ea1a6165e59a7539823812e8
                                                        • Opcode Fuzzy Hash: 92f3deca8c3716d8eb8afe1ccc85c4e80ba98e0b11432281ac9eaeb23b0a2ed2
                                                        • Instruction Fuzzy Hash: 1481662BB0895A4AD705BBBCB8265FD3B60EFC5366B2585B7C049CB1D7CD246086C7C0
                                                        Function 00007FFD9B800A10 Relevance: .3, Instructions: 294COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2543235143.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ffd9b800000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6c49ef5ef34ad093c10854b33290067ab9790c237cccfa542d10028423bb7d46
                                                        • Instruction ID: f59830365c3e2109fda91d845623e56c8ba5ccbe23d22d90474e52492435161b
                                                        • Opcode Fuzzy Hash: 6c49ef5ef34ad093c10854b33290067ab9790c237cccfa542d10028423bb7d46
                                                        • Instruction Fuzzy Hash: 8281432BB0895A4AD704BBBCB8266FD3B60EFC5366B2585B7D149CB1D7CD246086C7C0
                                                        Function 00007FFD9B800A48 Relevance: .3, Instructions: 263COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2543235143.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ffd9b800000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7921d9290891217e88df4aa948aec84cb7fc93a88582f30e19f266110c6a5cf5
                                                        • Instruction ID: f6e7bcda1177827ed34b36434b0046e95b84d97fedc66b6650bfa356639b22bf
                                                        • Opcode Fuzzy Hash: 7921d9290891217e88df4aa948aec84cb7fc93a88582f30e19f266110c6a5cf5
                                                        • Instruction Fuzzy Hash: 8B71562BB0895A4AD704BBBCF8665FC3BA1EFC5366B2545B6D049C71D7CE246086C7C0
                                                        Function 00007FFD9B801C26 Relevance: .2, Instructions: 184COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2543235143.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ffd9b800000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a24a9145bc1943e3fd3160b1275a7414a6b3a828b51fe8dd6c17957c5fa9a48e
                                                        • Instruction ID: ae04cae94060408dfa563b2fade44cc9baa53f84db55a8146d6e37811dfb129a
                                                        • Opcode Fuzzy Hash: a24a9145bc1943e3fd3160b1275a7414a6b3a828b51fe8dd6c17957c5fa9a48e
                                                        • Instruction Fuzzy Hash: 0D51D21070E6C90FE786AB7858696A57FD1DF8B224B0901FBE08DCB1E7CD585C06C352
                                                        Function 00007FFD9B800778 Relevance: .2, Instructions: 154COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2543235143.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ffd9b800000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 95ce2dcdf9525fa69483ab29574207b6cf84ad6e43ffbba4894af427a3a706d8
                                                        • Instruction ID: aac9b4aa31de2b7dab2b1f29dd5fc2706894a2715e0f553dea3ca813130f4bfb
                                                        • Opcode Fuzzy Hash: 95ce2dcdf9525fa69483ab29574207b6cf84ad6e43ffbba4894af427a3a706d8
                                                        • Instruction Fuzzy Hash: 33511636B0D6CA4FD301EB7CA4719ED7F70AF85218B5944FAD098CB2EBDD2854458341
                                                        Function 00007FFD9B800638 Relevance: .1, Instructions: 138COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2543235143.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ffd9b800000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1925517db0a5cb7f70aeaca85bb96375cfc5bdac3570469cd7bf593aa37fafe8
                                                        • Instruction ID: 360e952d7c57c2cd2de6d30c4d2f93cfb87c0ba2c0c8d6a8e9df706e47472cee
                                                        • Opcode Fuzzy Hash: 1925517db0a5cb7f70aeaca85bb96375cfc5bdac3570469cd7bf593aa37fafe8
                                                        • Instruction Fuzzy Hash: 7E31C321B1C9490FE798AB6C546A77866C2EF9D355F0505BAF04EC32E7DD64AC418341
                                                        Function 00007FFD9B800D21 Relevance: .1, Instructions: 125COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2543235143.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ffd9b800000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 03e1f93934897c77da83dd714bd2cb45eb9a140e5d62ca4faaf97c153b7f9bc9
                                                        • Instruction ID: fc22ebcade0295816d1f51f44ffc924902284c32d292919148d05d1ce5c95c21
                                                        • Opcode Fuzzy Hash: 03e1f93934897c77da83dd714bd2cb45eb9a140e5d62ca4faaf97c153b7f9bc9
                                                        • Instruction Fuzzy Hash: 8331E611F2894D0FEB44BBAC58697FD76D2EF98751F0142BAE44DC32D7DE1868418392
                                                        Function 00007FFD9B800BD3 Relevance: .1, Instructions: 119COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2543235143.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ffd9b800000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dd7581dd9d962f25a26f1017a7ec007126bde16dea7c1565fbe6e6c209932b07
                                                        • Instruction ID: 982943379e98909d181dbab4302ed38544e6836fa1dcd5f37609ba7e4cd175d6
                                                        • Opcode Fuzzy Hash: dd7581dd9d962f25a26f1017a7ec007126bde16dea7c1565fbe6e6c209932b07
                                                        • Instruction Fuzzy Hash: AD41D034B19A4E4FDB44EBA8D875AFD7BB2EF88300F5505B9E018C32D6CE3869418741
                                                        Function 00007FFD9B801DC1 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 0000000F.00000002.2543235143.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_15_2_7ffd9b800000_System User.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8ab015da4af00a6caf6ec0a48f7dd82ee5eeaed84fe508d534964c84c85f6b08
                                                        • Instruction ID: 80d241b5841581337271f0c7517330dc0b1198b4ad0da790af0c72af4e76841f
                                                        • Opcode Fuzzy Hash: 8ab015da4af00a6caf6ec0a48f7dd82ee5eeaed84fe508d534964c84c85f6b08
                                                        • Instruction Fuzzy Hash: B801DB55A0E6D60FE756773818754B5BFE0DF96250B0904BAE8C5C61E7D8085A418382