Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
W6s1vzcRdj.exe

Overview

General Information

Sample name:W6s1vzcRdj.exe
renamed because original name is a hash value
Original sample name:c68421f86ca419eac8bb89fcd66b860db60ed4201c16bfa4159436bbbae9401e.exe
Analysis ID:1570402
MD5:919023267a38b0b6641b26319901fddf
SHA1:dbd25f981353ce0f824fb441a2a0dc2441bdc8da
SHA256:c68421f86ca419eac8bb89fcd66b860db60ed4201c16bfa4159436bbbae9401e
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • W6s1vzcRdj.exe (PID: 3132 cmdline: "C:\Users\user\Desktop\W6s1vzcRdj.exe" MD5: 919023267A38B0B6641B26319901FDDF)
    • powershell.exe (PID: 2260 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7248 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'W6s1vzcRdj.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7488 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7788 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 8016 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • System User.exe (PID: 8092 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: 919023267A38B0B6641B26319901FDDF)
  • System User.exe (PID: 4908 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: 919023267A38B0B6641B26319901FDDF)
  • System User.exe (PID: 1104 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: 919023267A38B0B6641B26319901FDDF)
  • System User.exe (PID: 7464 cmdline: "C:\Users\user\AppData\Roaming\System User.exe" MD5: 919023267A38B0B6641B26319901FDDF)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["database-recommendations.gl.at.ply.gg"], "Port": 17666, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "PowerShell.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
W6s1vzcRdj.exeJoeSecurity_XWormYara detected XWormJoe Security
    W6s1vzcRdj.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x11cbf:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x11d5c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x11e71:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x10ecf:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\System User.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\System User.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x11cbf:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x11d5c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x11e71:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x10ecf:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1664144119.0000000000472000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1664144119.0000000000472000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x11abf:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x11b5c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x11c71:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x10ccf:$cnc4: POST / HTTP/1.1
        Process Memory Space: W6s1vzcRdj.exe PID: 3132JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.W6s1vzcRdj.exe.470000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.W6s1vzcRdj.exe.470000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x11cbf:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x11d5c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x11e71:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x10ecf:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\W6s1vzcRdj.exe", ParentImage: C:\Users\user\Desktop\W6s1vzcRdj.exe, ParentProcessId: 3132, ParentProcessName: W6s1vzcRdj.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe', ProcessId: 2260, ProcessName: powershell.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\W6s1vzcRdj.exe", ParentImage: C:\Users\user\Desktop\W6s1vzcRdj.exe, ParentProcessId: 3132, ParentProcessName: W6s1vzcRdj.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe', ProcessId: 2260, ProcessName: powershell.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\System User.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\W6s1vzcRdj.exe, ProcessId: 3132, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System User
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\W6s1vzcRdj.exe", ParentImage: C:\Users\user\Desktop\W6s1vzcRdj.exe, ParentProcessId: 3132, ParentProcessName: W6s1vzcRdj.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe', ProcessId: 2260, ProcessName: powershell.exe
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\W6s1vzcRdj.exe, ProcessId: 3132, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\W6s1vzcRdj.exe", ParentImage: C:\Users\user\Desktop\W6s1vzcRdj.exe, ParentProcessId: 3132, ParentProcessName: W6s1vzcRdj.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe", ProcessId: 8016, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\W6s1vzcRdj.exe", ParentImage: C:\Users\user\Desktop\W6s1vzcRdj.exe, ParentProcessId: 3132, ParentProcessName: W6s1vzcRdj.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe', ProcessId: 2260, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-06T22:54:57.626858+010028559241Malware Command and Control Activity Detected192.168.2.449843147.185.221.2417666TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: W6s1vzcRdj.exeAvira: detected
            Antivirus detection for URL or domain
            Source: database-recommendations.gl.at.ply.ggAvira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\System User.exeAvira: detection malicious, Label: TR/Spy.Gen
            Found malware configuration
            Source: W6s1vzcRdj.exeMalware Configuration Extractor: Xworm {"C2 url": ["database-recommendations.gl.at.ply.gg"], "Port": 17666, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "PowerShell.exe"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\System User.exeReversingLabs: Detection: 81%
            Multi AV Scanner detection for submitted file
            Source: W6s1vzcRdj.exeReversingLabs: Detection: 81%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\System User.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: W6s1vzcRdj.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: W6s1vzcRdj.exeString decryptor: database-recommendations.gl.at.ply.gg
            Source: W6s1vzcRdj.exeString decryptor: 17666
            Source: W6s1vzcRdj.exeString decryptor: <123456789>
            Source: W6s1vzcRdj.exeString decryptor: <Xwormmm>
            Source: W6s1vzcRdj.exeString decryptor: Spoofer Test
            Source: W6s1vzcRdj.exeString decryptor: PowerShell.exe
            Source: W6s1vzcRdj.exeString decryptor: %AppData%
            Source: W6s1vzcRdj.exeString decryptor: System User.exe
            Source: W6s1vzcRdj.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: W6s1vzcRdj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49843 -> 147.185.221.24:17666
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: database-recommendations.gl.at.ply.gg
            Source: global trafficTCP traffic: 192.168.2.4:49738 -> 147.185.221.24:17666
            Source: Joe Sandbox ViewIP Address: 147.185.221.24 147.185.221.24
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: database-recommendations.gl.at.ply.gg
            Source: powershell.exe, 00000004.00000002.1872679068.00000203FFCEB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2233490954.000001D2F2846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
            Source: powershell.exe, 00000004.00000002.1872679068.00000203FFCEB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2233490954.000001D2F2846000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
            Source: powershell.exe, 00000001.00000002.1771166507.00000264CD990000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
            Source: powershell.exe, 00000007.00000002.2028374378.00000209DB8FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csoft.com/pki/crls/MicRooCerAut_23.crl0Z
            Source: powershell.exe, 00000001.00000002.1765021988.00000264C54E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1848958322.0000020390072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2002787360.00000209D3392000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2192497645.000001D290070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000B.00000002.2060108741.000001D280229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000001.00000002.1739871018.00000264B5698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800033403.0000020380228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1912141324.00000209C354A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060108741.000001D280229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: W6s1vzcRdj.exe, 00000000.00000002.2924667546.0000000002691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1739871018.00000264B5471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800033403.0000020380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1912141324.00000209C3321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060108741.000001D280001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000001.00000002.1739871018.00000264B5698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800033403.0000020380228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1912141324.00000209C354A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060108741.000001D280229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 0000000B.00000002.2060108741.000001D280229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000004.00000002.1868034933.00000203FFB60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
            Source: powershell.exe, 00000001.00000002.1739871018.00000264B5471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800033403.0000020380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1912141324.00000209C3321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060108741.000001D280001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000000B.00000002.2192497645.000001D290070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000B.00000002.2192497645.000001D290070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000B.00000002.2192497645.000001D290070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000000B.00000002.2060108741.000001D280229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000001.00000002.1765021988.00000264C54E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1848958322.0000020390072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2002787360.00000209D3392000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2192497645.000001D290070000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: W6s1vzcRdj.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.W6s1vzcRdj.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1664144119.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeCode function: 0_2_00007FFD9B8893320_2_00007FFD9B889332
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeCode function: 0_2_00007FFD9B8816790_2_00007FFD9B881679
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeCode function: 0_2_00007FFD9B8885860_2_00007FFD9B888586
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeCode function: 0_2_00007FFD9B88204D0_2_00007FFD9B88204D
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeCode function: 0_2_00007FFD9B880EFA0_2_00007FFD9B880EFA
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeCode function: 0_2_00007FFD9B8816B90_2_00007FFD9B8816B9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B9530E91_2_00007FFD9B9530E9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B9530E97_2_00007FFD9B9530E9
            Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 15_2_00007FFD9B87167915_2_00007FFD9B871679
            Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 15_2_00007FFD9B8716CC15_2_00007FFD9B8716CC
            Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 16_2_00007FFD9B87167916_2_00007FFD9B871679
            Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 16_2_00007FFD9B8716CC16_2_00007FFD9B8716CC
            Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 17_2_00007FFD9B89167917_2_00007FFD9B891679
            Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 17_2_00007FFD9B890EFA17_2_00007FFD9B890EFA
            Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 17_2_00007FFD9B8916B917_2_00007FFD9B8916B9
            Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 17_2_00007FFD9B89204D17_2_00007FFD9B89204D
            Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 19_2_00007FFD9B88167919_2_00007FFD9B881679
            Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 19_2_00007FFD9B880EFA19_2_00007FFD9B880EFA
            Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 19_2_00007FFD9B8816B919_2_00007FFD9B8816B9
            Source: W6s1vzcRdj.exe, 00000000.00000000.1664192475.0000000000486000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename8888888888888888888888888888888888888888888888.exe4 vs W6s1vzcRdj.exe
            Source: W6s1vzcRdj.exeBinary or memory string: OriginalFilename8888888888888888888888888888888888888888888888.exe4 vs W6s1vzcRdj.exe
            Source: W6s1vzcRdj.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: W6s1vzcRdj.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.W6s1vzcRdj.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1664144119.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: W6s1vzcRdj.exe, qz3tqcCCqOEYXxIvIX5n4vACtisDEmMaFvF4zyGBmXnfQ4iEqBGzUCvCukZfdULiRl16FP4QL.csCryptographic APIs: 'TransformFinalBlock'
            Source: W6s1vzcRdj.exe, 0fBGF1CpRg1UNmcfwvuTflNlP8GdkwZnRq7B6ovb0NCIpIwxCTN54z6hiro9kQ7udsKWAyAby.csCryptographic APIs: 'TransformFinalBlock'
            Source: W6s1vzcRdj.exe, 0fBGF1CpRg1UNmcfwvuTflNlP8GdkwZnRq7B6ovb0NCIpIwxCTN54z6hiro9kQ7udsKWAyAby.csCryptographic APIs: 'TransformFinalBlock'
            Source: System User.exe.0.dr, qz3tqcCCqOEYXxIvIX5n4vACtisDEmMaFvF4zyGBmXnfQ4iEqBGzUCvCukZfdULiRl16FP4QL.csCryptographic APIs: 'TransformFinalBlock'
            Source: System User.exe.0.dr, 0fBGF1CpRg1UNmcfwvuTflNlP8GdkwZnRq7B6ovb0NCIpIwxCTN54z6hiro9kQ7udsKWAyAby.csCryptographic APIs: 'TransformFinalBlock'
            Source: System User.exe.0.dr, 0fBGF1CpRg1UNmcfwvuTflNlP8GdkwZnRq7B6ovb0NCIpIwxCTN54z6hiro9kQ7udsKWAyAby.csCryptographic APIs: 'TransformFinalBlock'
            Source: W6s1vzcRdj.exe, 9MMuemDRZ3VRuktgV5DVyrW5bgmyETC4zO1ihQCJ2.csBase64 encoded string: 'Nl5lE4XFZXNEMjZrAy3UAV8jERH3E9IueUS3iGzM5R1FOGgMULNsS6XSgAtDQGUT'
            Source: W6s1vzcRdj.exe, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.csBase64 encoded string: 'ZMsHbQhOwIqLKi6xbzP7WjvXxljPmGpEqymDp4CYcshb8NtOFFcaW2Hcg5NisqGOt2U3XwqdWc0U', 'JvDrqIu970tbTHn2IipSSjBr4KErDl284YDRhOKc94YJ8DRoTsCmdp5D44stfC1v8BejaDYeMV7M', 'lTlTVCdTkLRvGSbMvqOkpAl5itCf4mqumXEsFmk9Mb45HtIihBecmcyZkgfeVVLxWmmTzms4O9FF', 'MNY0Zb2gYj65cU2oL8zCOZzBiFuQLxe6sbqiysbmdiETPH7fDdi3UBmOJDX5S4mzdE5ah8WyOG2o', 'rHsiKhNZTVEA1VJEfLjzBOAGMSiCHzAOBWcUn3WBdWPKonGY52ZmdpsabcrdRgvzIp1iUD3St7FC', 'vyd6ns1cba2K5oqmSDbnc0gdbSpU5T4xMzr1Ouf52If581UKIvBJK57Dwq04uu55XEAWmuNHjXyR', 'sf2CKMR4oH253tvZMlZQjRzS0DdVlV2JPgVKAf0tsXzdafCV3F7Vk60k0wb83W9ErZQ0BVJe67zX'
            Source: W6s1vzcRdj.exe, ygKDTDgXMvUfqfuRf1GRA2NMOFvI3d1YV61Jm0mwm.csBase64 encoded string: 'OcDCRwr75mhOTapHjcBVrYFboipgVNJhgANHIFAg34ZSqcI1VDwju4Qm7QPtmjxtHquA0WhUTkWl', 'sueYt6RXipR1M9nhhT81tepASkNMl6HiNrrJQi7QFuswNdGBb85JqCJTea9dSt3MRQUY7zzZclgO', 'yggWOocYPxYz6nurWJvbaCY2DpGwl600n9Brw2ZmRCxbsbmiWX0i2c3pOo6VCZtV0sGqyWZHvprS', 'xKMvUtby7UaEnMIZo0bRRb5x7QJj7IpruwlUl0lspdWLXqNUDldTjJcZLQ8Oah1qT5Ocb7uPqe1S', 'TNQXcrjYAcd2QtfApg8faeZ8rUhGJikoPmLbhUHwWo4K6MbAT5lyvZU2HrcLuJPhPQ6DiV5MGdke', 'SJf56OOJnUpjeyFTLAG2Tz7z87oWCbj0X0hcOebavXSsKhMQZ0w7VGfehVumtUHr15dUztLEjhFy', 'pLXaHVj867XeyVZo7PiYoYpQoNIh0zyQoylE6UVBIA0Xy7rWow3YPLoRVwpv59K9oxgcBRk7yUXb'
            Source: W6s1vzcRdj.exe, Ip5g87e04mVGJ9zB0rhGO83TEvmZB3lp7mVbHA9ez.csBase64 encoded string: 'pv0TyGam2HLIDnCMF1dVEEp89cunzj3OP4BR2DhqrTmuymHRjYwODsHyljdd8gPHiv9w7fGn8LIP', 'jFrJ5KCwJw7QoLpLoWFojmgJP4mu5KHH0O9TP78q3uMrvdc1CSo8SsPftihpYGfAV8M7Ewp05oVH'
            Source: System User.exe.0.dr, 9MMuemDRZ3VRuktgV5DVyrW5bgmyETC4zO1ihQCJ2.csBase64 encoded string: 'Nl5lE4XFZXNEMjZrAy3UAV8jERH3E9IueUS3iGzM5R1FOGgMULNsS6XSgAtDQGUT'
            Source: System User.exe.0.dr, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.csBase64 encoded string: 'ZMsHbQhOwIqLKi6xbzP7WjvXxljPmGpEqymDp4CYcshb8NtOFFcaW2Hcg5NisqGOt2U3XwqdWc0U', 'JvDrqIu970tbTHn2IipSSjBr4KErDl284YDRhOKc94YJ8DRoTsCmdp5D44stfC1v8BejaDYeMV7M', 'lTlTVCdTkLRvGSbMvqOkpAl5itCf4mqumXEsFmk9Mb45HtIihBecmcyZkgfeVVLxWmmTzms4O9FF', 'MNY0Zb2gYj65cU2oL8zCOZzBiFuQLxe6sbqiysbmdiETPH7fDdi3UBmOJDX5S4mzdE5ah8WyOG2o', 'rHsiKhNZTVEA1VJEfLjzBOAGMSiCHzAOBWcUn3WBdWPKonGY52ZmdpsabcrdRgvzIp1iUD3St7FC', 'vyd6ns1cba2K5oqmSDbnc0gdbSpU5T4xMzr1Ouf52If581UKIvBJK57Dwq04uu55XEAWmuNHjXyR', 'sf2CKMR4oH253tvZMlZQjRzS0DdVlV2JPgVKAf0tsXzdafCV3F7Vk60k0wb83W9ErZQ0BVJe67zX'
            Source: System User.exe.0.dr, ygKDTDgXMvUfqfuRf1GRA2NMOFvI3d1YV61Jm0mwm.csBase64 encoded string: 'OcDCRwr75mhOTapHjcBVrYFboipgVNJhgANHIFAg34ZSqcI1VDwju4Qm7QPtmjxtHquA0WhUTkWl', 'sueYt6RXipR1M9nhhT81tepASkNMl6HiNrrJQi7QFuswNdGBb85JqCJTea9dSt3MRQUY7zzZclgO', 'yggWOocYPxYz6nurWJvbaCY2DpGwl600n9Brw2ZmRCxbsbmiWX0i2c3pOo6VCZtV0sGqyWZHvprS', 'xKMvUtby7UaEnMIZo0bRRb5x7QJj7IpruwlUl0lspdWLXqNUDldTjJcZLQ8Oah1qT5Ocb7uPqe1S', 'TNQXcrjYAcd2QtfApg8faeZ8rUhGJikoPmLbhUHwWo4K6MbAT5lyvZU2HrcLuJPhPQ6DiV5MGdke', 'SJf56OOJnUpjeyFTLAG2Tz7z87oWCbj0X0hcOebavXSsKhMQZ0w7VGfehVumtUHr15dUztLEjhFy', 'pLXaHVj867XeyVZo7PiYoYpQoNIh0zyQoylE6UVBIA0Xy7rWow3YPLoRVwpv59K9oxgcBRk7yUXb'
            Source: System User.exe.0.dr, Ip5g87e04mVGJ9zB0rhGO83TEvmZB3lp7mVbHA9ez.csBase64 encoded string: 'pv0TyGam2HLIDnCMF1dVEEp89cunzj3OP4BR2DhqrTmuymHRjYwODsHyljdd8gPHiv9w7fGn8LIP', 'jFrJ5KCwJw7QoLpLoWFojmgJP4mu5KHH0O9TP78q3uMrvdc1CSo8SsPftihpYGfAV8M7Ewp05oVH'
            Source: W6s1vzcRdj.exe, fEPLSfRFMi5R2cxByQF2s4TjoalENwRmhco5LmoGy.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: W6s1vzcRdj.exe, fEPLSfRFMi5R2cxByQF2s4TjoalENwRmhco5LmoGy.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: System User.exe.0.dr, fEPLSfRFMi5R2cxByQF2s4TjoalENwRmhco5LmoGy.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: System User.exe.0.dr, fEPLSfRFMi5R2cxByQF2s4TjoalENwRmhco5LmoGy.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@20/21@1/1
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeFile created: C:\Users\user\AppData\Roaming\System User.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\System User.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7256:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeMutant created: \Sessions\1\BaseNamedObjects\QijTfk1xtBT7v9S8
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
            Source: W6s1vzcRdj.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: W6s1vzcRdj.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: W6s1vzcRdj.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeFile read: C:\Users\user\Desktop\W6s1vzcRdj.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\W6s1vzcRdj.exe "C:\Users\user\Desktop\W6s1vzcRdj.exe"
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'W6s1vzcRdj.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User.exe "C:\Users\user\AppData\Roaming\System User.exe"
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe'Jump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'W6s1vzcRdj.exe'Jump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'Jump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'Jump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"Jump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\System User.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: System User.lnk.0.drLNK file: ..\..\..\..\..\System User.exe
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: W6s1vzcRdj.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: W6s1vzcRdj.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: W6s1vzcRdj.exe, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_9MMuemDRZ3VRuktgV5DVyrW5bgmyETC4zO1ihQCJ2.bSQE5ip9sF7ivKS7c6SGPMqK9SumpPbSHHwX5vpVT,_9MMuemDRZ3VRuktgV5DVyrW5bgmyETC4zO1ihQCJ2.uGfUbqESIcMlc6or0FtNum4Lr2DZbZa8QzqO1zKXx,_9MMuemDRZ3VRuktgV5DVyrW5bgmyETC4zO1ihQCJ2.oPYwaMu1kyFS0vrkecpvONasoazySeNsZBjPxPqpa,_9MMuemDRZ3VRuktgV5DVyrW5bgmyETC4zO1ihQCJ2.xtoEcBR0ZAmgrXMxstcSUByHXy1m1toXWWzkwyIhW,_0fBGF1CpRg1UNmcfwvuTflNlP8GdkwZnRq7B6ovb0NCIpIwxCTN54z6hiro9kQ7udsKWAyAby._0RGZF4JupkDkCGNYMvknr6ami1CqhRuAmPZohLx9DsXT47TskpH5G0OZPDR()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: W6s1vzcRdj.exe, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{uv37lu3SblSA2HF1vufAYcrlSiEOL1FEgoE7PhWtE[2],_0fBGF1CpRg1UNmcfwvuTflNlP8GdkwZnRq7B6ovb0NCIpIwxCTN54z6hiro9kQ7udsKWAyAby.rKJ2heV5XY8rk3brE2fVwhPfECXGxcXLRkCNJ5rxCkd8m3j6SUlb4SAyQwW(Convert.FromBase64String(uv37lu3SblSA2HF1vufAYcrlSiEOL1FEgoE7PhWtE[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: W6s1vzcRdj.exe, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { uv37lu3SblSA2HF1vufAYcrlSiEOL1FEgoE7PhWtE[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            Source: System User.exe.0.dr, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_9MMuemDRZ3VRuktgV5DVyrW5bgmyETC4zO1ihQCJ2.bSQE5ip9sF7ivKS7c6SGPMqK9SumpPbSHHwX5vpVT,_9MMuemDRZ3VRuktgV5DVyrW5bgmyETC4zO1ihQCJ2.uGfUbqESIcMlc6or0FtNum4Lr2DZbZa8QzqO1zKXx,_9MMuemDRZ3VRuktgV5DVyrW5bgmyETC4zO1ihQCJ2.oPYwaMu1kyFS0vrkecpvONasoazySeNsZBjPxPqpa,_9MMuemDRZ3VRuktgV5DVyrW5bgmyETC4zO1ihQCJ2.xtoEcBR0ZAmgrXMxstcSUByHXy1m1toXWWzkwyIhW,_0fBGF1CpRg1UNmcfwvuTflNlP8GdkwZnRq7B6ovb0NCIpIwxCTN54z6hiro9kQ7udsKWAyAby._0RGZF4JupkDkCGNYMvknr6ami1CqhRuAmPZohLx9DsXT47TskpH5G0OZPDR()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: System User.exe.0.dr, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{uv37lu3SblSA2HF1vufAYcrlSiEOL1FEgoE7PhWtE[2],_0fBGF1CpRg1UNmcfwvuTflNlP8GdkwZnRq7B6ovb0NCIpIwxCTN54z6hiro9kQ7udsKWAyAby.rKJ2heV5XY8rk3brE2fVwhPfECXGxcXLRkCNJ5rxCkd8m3j6SUlb4SAyQwW(Convert.FromBase64String(uv37lu3SblSA2HF1vufAYcrlSiEOL1FEgoE7PhWtE[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: System User.exe.0.dr, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { uv37lu3SblSA2HF1vufAYcrlSiEOL1FEgoE7PhWtE[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: W6s1vzcRdj.exe, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.cs.Net Code: oE2DNBQyLx5btG2BQ9Edeg3OVTKzp3f3OwU9snTj4 System.AppDomain.Load(byte[])
            Source: W6s1vzcRdj.exe, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.cs.Net Code: _0JFIupIEv7L2b34aE4q4BiW8t71Hg7jLEb6xM82Sa System.AppDomain.Load(byte[])
            Source: W6s1vzcRdj.exe, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.cs.Net Code: _0JFIupIEv7L2b34aE4q4BiW8t71Hg7jLEb6xM82Sa
            Source: System User.exe.0.dr, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.cs.Net Code: oE2DNBQyLx5btG2BQ9Edeg3OVTKzp3f3OwU9snTj4 System.AppDomain.Load(byte[])
            Source: System User.exe.0.dr, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.cs.Net Code: _0JFIupIEv7L2b34aE4q4BiW8t71Hg7jLEb6xM82Sa System.AppDomain.Load(byte[])
            Source: System User.exe.0.dr, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.cs.Net Code: _0JFIupIEv7L2b34aE4q4BiW8t71Hg7jLEb6xM82Sa
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B76D2A5 pushad ; iretd 1_2_00007FFD9B76D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B885E57 push esp; retf 1_2_00007FFD9B885E58
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B952316 push 8B485F92h; iretd 1_2_00007FFD9B95231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B74D2A5 pushad ; iretd 4_2_00007FFD9B74D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8600BD pushad ; iretd 4_2_00007FFD9B8600C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B932316 push 8B485F94h; iretd 4_2_00007FFD9B93231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B76D2A5 pushad ; iretd 7_2_00007FFD9B76D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B885E57 push esp; retf 7_2_00007FFD9B885E58
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B952316 push 8B485F92h; iretd 7_2_00007FFD9B95231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B75D2A5 pushad ; iretd 11_2_00007FFD9B75D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B8700BD pushad ; iretd 11_2_00007FFD9B8700C1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B942316 push 8B485F93h; iretd 11_2_00007FFD9B94231B
            Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 15_2_00007FFD9B8700BD pushad ; iretd 15_2_00007FFD9B8700C1
            Source: C:\Users\user\AppData\Roaming\System User.exeCode function: 16_2_00007FFD9B8700BD pushad ; iretd 16_2_00007FFD9B8700C1
            Source: W6s1vzcRdj.exe, 51MbJE2vykk729hqbkNy4qjeuO8da2SXP6nOVXhRGC9oEDhVcjOME6R5pUk.csHigh entropy of concatenated method names: 'hI2hnAiVp0MLSW1obS7jvKMrJTJizcofqVjqSsFIZMUEUbyjcLk3PJRu8cW', 'z4KczIUlelYuBreLBfVRoV3KAf4cMHfsts98OYrtXkRQYgkTufUsg3H4bc5', 'G9Q4ueds4Li6BlQkwwxLI46rL47QhiE7iTFbovsd3hkihQCele8eVqHA6Z0', '_7tJmKzakMNTC7EjA2t', '_4QTf5TbICyQzByia1Z', '_0A6UJ5VclVKLis2bP5', 'xWEoe37okpbnzeLrx6', 'XHV2tathis9ZQZvcoz', 'kDwtq3HEcpA4t5gI7Q', 'e5xwWMFp1kkvlTbE91'
            Source: W6s1vzcRdj.exe, 9MMuemDRZ3VRuktgV5DVyrW5bgmyETC4zO1ihQCJ2.csHigh entropy of concatenated method names: 'kYiIRus7GWCC6qNjsTn06tPY5Pmi52kh9kA6LoItdWOHBCSW8my7C0w1fjl', 'yKv11ykvxiaOVYSNzguhJ6EfNqvesQquKasVAuVIwvVLeQ4rt5qgyPshmm4', 'wclNjRzRbaU4gNl0wljjzyYUU0CpuNEef9ojg7eV4zVoXYADThQ2jahjY5r', '_5lQqp21VCPCyuL5R4BsXIzWQDE3s3XKo82LzddM8amqzUnMFCjhZA1mXipI'
            Source: W6s1vzcRdj.exe, OunKViUof5BgYiunr80VIeOs5UscFiFQtUQAGErtX.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'UGKgS2OYskflDP7RfckqEUbcgeSbZiW4zOUadZiIlx1QzsS7kmuMp7nJJwo', 'zaXnxIGb5r3mIEU3CaoAoZ0gotlT6u570zwcfLMH546CTZyWSUmvGOEFLOJ', 'EqYm5I3P8jcLJx1oaKgxKMtm7fJjrZuYaC3RuIKj37dvozEkDe07TvEh3cm', 'XrSlKPRDUeWCQaNFXNDALdw97PpQorWNgLZw2pERL3RpYOytdvTqwZZyVoB'
            Source: W6s1vzcRdj.exe, pz7mVeo19M6RtJd9jrFf1gTWmnLbfIQhOrxohHjQ0.csHigh entropy of concatenated method names: 'XgsZ1pccDGA3iAIadfLZh6tlFNyjuF4CYmuCaVVmQ', 'vgjMiLY6D1Gf637AqioujjkDJ5unQVqX05FkiAazv', 'wGyiShy1ClZsAIriJQHG64Olaf0mmEsZh6hl0JYQb', 'VAi33Mjvwqhwm6dZkO0E5O9cs42FxbCTsSnU56Ta6', 'ET2cLP42oeR01LGgVnYdS7JAozfGe2f3sWquWELqw', 'YsqziVdWGuDCwGDmuKwP4KcRzoLuz9fVkWd4DzSGaUd4laheakKXhLCbb64', 'cUQw9cAnptEXGonKUR7wkSH9L1tlUd3JQtAqDVBkPzeBFw22Cq4sWT0HJYn', 'ZsO4wntfdXzHHKK0Ziwp5g0Z2tOT6f7LKlv1Tms2tNb72XcOIW4vQF1Wpfy', 'y6bhC5xktowEJ3PbIMpFvs3u8Acrp96BtTeMGNcNcDrKkx0KwcU9DZ2WsXt', 'BkXs35A5NMehteT8WowzURVLcgD9zTUnBnx9B8kmsTEa4K4swiBFIlEekMv'
            Source: W6s1vzcRdj.exe, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.csHigh entropy of concatenated method names: 'OAdRogcBvgKyCa9BYcTEAaky2LOhl0hqibYiU1xhV', 'oE2DNBQyLx5btG2BQ9Edeg3OVTKzp3f3OwU9snTj4', '_0ogYinPfST8Bv6ahXvln1VnIb8iZxfCK8xzaTlhk3', 'BjSUMUqoVkC9Q7TuJSoTFpRUtMyXL9GVBkc913dBe', 'L46miAIk0Sz6Igk0Z1z8ikapFfN7MQ7wN0fBxswwM', 'pyxYJ7hJgI3G00fzomgK4MqbaHEHh6Cd9ziDkGQG9', '_7dj1SDUvvh9pGWVJTKUd9Y5VxTxkxT8iK6nyoQ0py', 'W95lJ1AkE4WJAw9Ncmpjd5XoYD3WtL0cuMUsxufAY', 'kuy13yxAnMYfg3LyOX3Ecqzoond1VZePStF608E39', 't50j8WxZKEzTpizQPpRE5LfLfN728lxJKQFl2QVpZ'
            Source: W6s1vzcRdj.exe, ygKDTDgXMvUfqfuRf1GRA2NMOFvI3d1YV61Jm0mwm.csHigh entropy of concatenated method names: 'KBLlKDqkv2NA71Xn2v1XgZJIUwGvQnRNZHk3bRFNN', 'rYwOfkkIIaHWKcUcWMJrpReRdB4BoeXrK4uZY185o', 'hpXSYroFFLWlhYcjUNHxCEutE7DHQaYeEyHgxeoFN0wDE40tL5ghOB0d3nDaqp1SrfBpVFEDq', 'lJJkAARyFgwJUzpF1H7OGpMdWsMhf1Iqm49Dy5aAPDNYyGBcM1yAVBjofpptgKUuED6QlZY6w', 'zkYgZy2BXm5xc6GB3xbyYECKTDdPahO865NMF00uk0RhuuVa4aQvybAdcdTGn5vUDFpZyx9rU', 'kogB1SdBz8kEqQygnAg84y4T2WeHjaXDtzwvFg3uER8KLgErdIT9xh1XmOewmgvyd3UpL1X5P', 'yDxCgA0SfW3u19kOeshv1Tg7FWcm54i2urVUS1iSyDJiOFNM6IBD1z90z56snUittYmMgWYbM', '_5hMdP97h3CdxMMxzXQo86ESW2x68mW0B8ZEE6PgZ9bQcRo96mLnqSbxksj3bGob2M3itCvoZF', 'M8EXQHJoDZbq8oqVPWtqdEjlr65TLkyqfDJIBt3MAIdqURKjbiWfRDm4GfMu9HAHC9jVgNULe', 'x11hDqxLc8fcJYe4NIThga64dNU38EhaHNdeyLnjWLrM4pp3L81Tt7vw1n4i1qnHcZVTb2JmJ'
            Source: W6s1vzcRdj.exe, qz3tqcCCqOEYXxIvIX5n4vACtisDEmMaFvF4zyGBmXnfQ4iEqBGzUCvCukZfdULiRl16FP4QL.csHigh entropy of concatenated method names: 'mVvjTv6SWNagPnTVRycwT5VlIYODgRztes1D9hL6ORX3PFeAbBemG2rKgl24M4qvIsm8hfUpJ', 'O8GEpYF400e6O5hJAa', '_4xrqMjNc8Vm2XXqC5K', 'Tlpx7B0snFvi1vpGkB', 'RAn0vGKzy4zsBkr7nB'
            Source: W6s1vzcRdj.exe, Ip5g87e04mVGJ9zB0rhGO83TEvmZB3lp7mVbHA9ez.csHigh entropy of concatenated method names: 'bFCyuPdXLbrn2oErd7REn2wPgEf40XTCE2iUUkhGO', 'eiGV0AjY2rwLZEEsAkTWnMQrIFi6t7DQgRAEvurDkdGCxPMchY917nlMepJAk2aq6KSilJN2CJvf', '_6GE59lK8ni7wq5EY51WfWANzV0WzjBoSgf2fTNMBcUyKRamF3E49d06sOuD9YLvG1k86rxKEO9XS', 'ttXGFHz9nOrkBZucClIaiHdjeWhn7jq0FvtbjVhI7DPPZkNubikyrEfmmwthFo0I16YzPmqwBHar', 'ANNymCxgGUCMuJ5zcInwu4KAYry0ODEVc65sq9ceGGjTQhcWRFgNTmTGF8GqIrjnWYDgbWzbinJ4'
            Source: W6s1vzcRdj.exe, fEPLSfRFMi5R2cxByQF2s4TjoalENwRmhco5LmoGy.csHigh entropy of concatenated method names: 'Va2w4cyavdeyClLtWKoPAcdJaX3duMUHdRwxZsF1m', 'qxjm874sczlFYWyy0OfcdjYwPx6QHHOIjlYtu7GdF', '_52N5Li6sEI1viDRtQRMqYV75ijRae76NIrRd5WIxd', 'uclr2AJqgZwOYkbnQ8RfNGVFvBcKvv7zEqlyJAni9', '_4p0bUDJgmNdAstIHuGRpaprftOGUTXFIhobIlPeZx', 'pULDowLyhVPn1AZWpl1E6Ll3SCBhWk0QHTOAjNj12', '_3nFizaHPSJ3D2fnfljkYIhDiUPW5739D6WM3cjyZV', '_6eXTPQCpQIxnRg9ilwFbt9lQZ0F80XpnRJhbSg785', 'MrYw7CWatdaja0Oc6kIDK5RAUAmdgO4zWO8LY7POH', 'WHRBMT3erYV464smDTsFEMO6fV8W791q5X7qYHNbf'
            Source: W6s1vzcRdj.exe, T3lvWThVja63VhfbvI3c3gqQ6xi6XhQI3hLEzW6oTk3dnrgCEyF0teYh3ooJ7HxGEUaD6Vkbv.csHigh entropy of concatenated method names: 'H0lJtP7Eb23TJ8tT3lWC5iBrceBpy32RNHrRSALfxWVQJH4mVLf840jvw9zu0t1p1kUkZBFHL', '_8p6D2eOua7E4LNsBYYSTyYIxUVTyD2eQofGpf6lJuTDvdYJUCfOhszvQQZEp2C51VquXQmLas', '_3qEsGGkKGgrLNGLx7kbqVCFNbhtrQe19s5p0L0NebguWXspQKxrSqsAjrpi1nO4RV8uBOxJGh', 'dGFyQDXfdZMf5iJ37S62bbjUUfZEwZ9JMzaC4H5vCLznDiLlXGB2KVkmS2ZHpg3gflY4ycP90', 'vRO7O9JwJIh3EKUWHc', 'LHoBFO3LmqgY9wydDh', 'hdBbOlRUF3Sp21W0ii', 'T9KiHmttzJ47A7nWbf', 'hbO2Lh457EtaQNMv0S', 'kL5xpKZ1vhbbzvLsDv'
            Source: W6s1vzcRdj.exe, 0fBGF1CpRg1UNmcfwvuTflNlP8GdkwZnRq7B6ovb0NCIpIwxCTN54z6hiro9kQ7udsKWAyAby.csHigh entropy of concatenated method names: 'ncSdF1lQASQgWNbsRG13JHA8KTG3W8j3px87B1VErP4gQJV7Y6JrWhATUrI7nF8h5ROxeMJaE', 'MuAxHM1iJdEASMgW7v5vbbgnGYzJgmsQamPLEncI1Tg2lxTfjUWNspQu3NvNFVYa4hF8MoZCJ', 'vwU8UF3PYyGu2CvGCNzJl70pknKkPOmrzbkqIAGcycGx5Jcba3WBYyPuxQfSIMj1zzwl1BYSW', 'JIqpNVoczTWNzakhGXVmQg1hwf9foX63d0Utd5G7u0jTlkGFw9r952uyqBk0gxJUNppo1gwJp', 'Wm77I1E6hYQ7jIjduKjrJP3lT2sxOfexn2mjeR1JR90yFjEwWYWDeYXFLeGSCFJMSMyVwZNeg', 'mDpQyUjNbSbxbNbb0GedrBj9NBcG9jiJMP11Xwd4aRbL2W3p9HBl1ZG9RGCgNVjvX4SFZfQu7', 'qR5EYGkVmwBMtiFe5UEefsEEnPwsgewuh1rRRXywvMZ2Q6gQ2ujucI1kbh7yBvSQuP9man4DO', 'k7nj2jcvdTqvRJyVwDH8jE4TEMRvpW4zSYZa7u66n02i7fKjHpv9pO7f2YguO7XTM3xBeaI64', 'BC88mwxok36WEM6xHzMrBik0zehKS0YBlgKl0AI3buCDgMPmkFjeNwqdxZ50U5RynEXTL9Cze', '_7HUqDBGxxYhtgogN9TCuFiCAMhbxw9hR0kuFGD5JMVL8GwApskDw3kCYBL1PiM1SJ67zD6NRH'
            Source: System User.exe.0.dr, 51MbJE2vykk729hqbkNy4qjeuO8da2SXP6nOVXhRGC9oEDhVcjOME6R5pUk.csHigh entropy of concatenated method names: 'hI2hnAiVp0MLSW1obS7jvKMrJTJizcofqVjqSsFIZMUEUbyjcLk3PJRu8cW', 'z4KczIUlelYuBreLBfVRoV3KAf4cMHfsts98OYrtXkRQYgkTufUsg3H4bc5', 'G9Q4ueds4Li6BlQkwwxLI46rL47QhiE7iTFbovsd3hkihQCele8eVqHA6Z0', '_7tJmKzakMNTC7EjA2t', '_4QTf5TbICyQzByia1Z', '_0A6UJ5VclVKLis2bP5', 'xWEoe37okpbnzeLrx6', 'XHV2tathis9ZQZvcoz', 'kDwtq3HEcpA4t5gI7Q', 'e5xwWMFp1kkvlTbE91'
            Source: System User.exe.0.dr, 9MMuemDRZ3VRuktgV5DVyrW5bgmyETC4zO1ihQCJ2.csHigh entropy of concatenated method names: 'kYiIRus7GWCC6qNjsTn06tPY5Pmi52kh9kA6LoItdWOHBCSW8my7C0w1fjl', 'yKv11ykvxiaOVYSNzguhJ6EfNqvesQquKasVAuVIwvVLeQ4rt5qgyPshmm4', 'wclNjRzRbaU4gNl0wljjzyYUU0CpuNEef9ojg7eV4zVoXYADThQ2jahjY5r', '_5lQqp21VCPCyuL5R4BsXIzWQDE3s3XKo82LzddM8amqzUnMFCjhZA1mXipI'
            Source: System User.exe.0.dr, OunKViUof5BgYiunr80VIeOs5UscFiFQtUQAGErtX.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'UGKgS2OYskflDP7RfckqEUbcgeSbZiW4zOUadZiIlx1QzsS7kmuMp7nJJwo', 'zaXnxIGb5r3mIEU3CaoAoZ0gotlT6u570zwcfLMH546CTZyWSUmvGOEFLOJ', 'EqYm5I3P8jcLJx1oaKgxKMtm7fJjrZuYaC3RuIKj37dvozEkDe07TvEh3cm', 'XrSlKPRDUeWCQaNFXNDALdw97PpQorWNgLZw2pERL3RpYOytdvTqwZZyVoB'
            Source: System User.exe.0.dr, pz7mVeo19M6RtJd9jrFf1gTWmnLbfIQhOrxohHjQ0.csHigh entropy of concatenated method names: 'XgsZ1pccDGA3iAIadfLZh6tlFNyjuF4CYmuCaVVmQ', 'vgjMiLY6D1Gf637AqioujjkDJ5unQVqX05FkiAazv', 'wGyiShy1ClZsAIriJQHG64Olaf0mmEsZh6hl0JYQb', 'VAi33Mjvwqhwm6dZkO0E5O9cs42FxbCTsSnU56Ta6', 'ET2cLP42oeR01LGgVnYdS7JAozfGe2f3sWquWELqw', 'YsqziVdWGuDCwGDmuKwP4KcRzoLuz9fVkWd4DzSGaUd4laheakKXhLCbb64', 'cUQw9cAnptEXGonKUR7wkSH9L1tlUd3JQtAqDVBkPzeBFw22Cq4sWT0HJYn', 'ZsO4wntfdXzHHKK0Ziwp5g0Z2tOT6f7LKlv1Tms2tNb72XcOIW4vQF1Wpfy', 'y6bhC5xktowEJ3PbIMpFvs3u8Acrp96BtTeMGNcNcDrKkx0KwcU9DZ2WsXt', 'BkXs35A5NMehteT8WowzURVLcgD9zTUnBnx9B8kmsTEa4K4swiBFIlEekMv'
            Source: System User.exe.0.dr, wm3INqpe0zHP0DqnNaQnHMVZGG4o6fVogWCPxOokV.csHigh entropy of concatenated method names: 'OAdRogcBvgKyCa9BYcTEAaky2LOhl0hqibYiU1xhV', 'oE2DNBQyLx5btG2BQ9Edeg3OVTKzp3f3OwU9snTj4', '_0ogYinPfST8Bv6ahXvln1VnIb8iZxfCK8xzaTlhk3', 'BjSUMUqoVkC9Q7TuJSoTFpRUtMyXL9GVBkc913dBe', 'L46miAIk0Sz6Igk0Z1z8ikapFfN7MQ7wN0fBxswwM', 'pyxYJ7hJgI3G00fzomgK4MqbaHEHh6Cd9ziDkGQG9', '_7dj1SDUvvh9pGWVJTKUd9Y5VxTxkxT8iK6nyoQ0py', 'W95lJ1AkE4WJAw9Ncmpjd5XoYD3WtL0cuMUsxufAY', 'kuy13yxAnMYfg3LyOX3Ecqzoond1VZePStF608E39', 't50j8WxZKEzTpizQPpRE5LfLfN728lxJKQFl2QVpZ'
            Source: System User.exe.0.dr, ygKDTDgXMvUfqfuRf1GRA2NMOFvI3d1YV61Jm0mwm.csHigh entropy of concatenated method names: 'KBLlKDqkv2NA71Xn2v1XgZJIUwGvQnRNZHk3bRFNN', 'rYwOfkkIIaHWKcUcWMJrpReRdB4BoeXrK4uZY185o', 'hpXSYroFFLWlhYcjUNHxCEutE7DHQaYeEyHgxeoFN0wDE40tL5ghOB0d3nDaqp1SrfBpVFEDq', 'lJJkAARyFgwJUzpF1H7OGpMdWsMhf1Iqm49Dy5aAPDNYyGBcM1yAVBjofpptgKUuED6QlZY6w', 'zkYgZy2BXm5xc6GB3xbyYECKTDdPahO865NMF00uk0RhuuVa4aQvybAdcdTGn5vUDFpZyx9rU', 'kogB1SdBz8kEqQygnAg84y4T2WeHjaXDtzwvFg3uER8KLgErdIT9xh1XmOewmgvyd3UpL1X5P', 'yDxCgA0SfW3u19kOeshv1Tg7FWcm54i2urVUS1iSyDJiOFNM6IBD1z90z56snUittYmMgWYbM', '_5hMdP97h3CdxMMxzXQo86ESW2x68mW0B8ZEE6PgZ9bQcRo96mLnqSbxksj3bGob2M3itCvoZF', 'M8EXQHJoDZbq8oqVPWtqdEjlr65TLkyqfDJIBt3MAIdqURKjbiWfRDm4GfMu9HAHC9jVgNULe', 'x11hDqxLc8fcJYe4NIThga64dNU38EhaHNdeyLnjWLrM4pp3L81Tt7vw1n4i1qnHcZVTb2JmJ'
            Source: System User.exe.0.dr, qz3tqcCCqOEYXxIvIX5n4vACtisDEmMaFvF4zyGBmXnfQ4iEqBGzUCvCukZfdULiRl16FP4QL.csHigh entropy of concatenated method names: 'mVvjTv6SWNagPnTVRycwT5VlIYODgRztes1D9hL6ORX3PFeAbBemG2rKgl24M4qvIsm8hfUpJ', 'O8GEpYF400e6O5hJAa', '_4xrqMjNc8Vm2XXqC5K', 'Tlpx7B0snFvi1vpGkB', 'RAn0vGKzy4zsBkr7nB'
            Source: System User.exe.0.dr, Ip5g87e04mVGJ9zB0rhGO83TEvmZB3lp7mVbHA9ez.csHigh entropy of concatenated method names: 'bFCyuPdXLbrn2oErd7REn2wPgEf40XTCE2iUUkhGO', 'eiGV0AjY2rwLZEEsAkTWnMQrIFi6t7DQgRAEvurDkdGCxPMchY917nlMepJAk2aq6KSilJN2CJvf', '_6GE59lK8ni7wq5EY51WfWANzV0WzjBoSgf2fTNMBcUyKRamF3E49d06sOuD9YLvG1k86rxKEO9XS', 'ttXGFHz9nOrkBZucClIaiHdjeWhn7jq0FvtbjVhI7DPPZkNubikyrEfmmwthFo0I16YzPmqwBHar', 'ANNymCxgGUCMuJ5zcInwu4KAYry0ODEVc65sq9ceGGjTQhcWRFgNTmTGF8GqIrjnWYDgbWzbinJ4'
            Source: System User.exe.0.dr, fEPLSfRFMi5R2cxByQF2s4TjoalENwRmhco5LmoGy.csHigh entropy of concatenated method names: 'Va2w4cyavdeyClLtWKoPAcdJaX3duMUHdRwxZsF1m', 'qxjm874sczlFYWyy0OfcdjYwPx6QHHOIjlYtu7GdF', '_52N5Li6sEI1viDRtQRMqYV75ijRae76NIrRd5WIxd', 'uclr2AJqgZwOYkbnQ8RfNGVFvBcKvv7zEqlyJAni9', '_4p0bUDJgmNdAstIHuGRpaprftOGUTXFIhobIlPeZx', 'pULDowLyhVPn1AZWpl1E6Ll3SCBhWk0QHTOAjNj12', '_3nFizaHPSJ3D2fnfljkYIhDiUPW5739D6WM3cjyZV', '_6eXTPQCpQIxnRg9ilwFbt9lQZ0F80XpnRJhbSg785', 'MrYw7CWatdaja0Oc6kIDK5RAUAmdgO4zWO8LY7POH', 'WHRBMT3erYV464smDTsFEMO6fV8W791q5X7qYHNbf'
            Source: System User.exe.0.dr, T3lvWThVja63VhfbvI3c3gqQ6xi6XhQI3hLEzW6oTk3dnrgCEyF0teYh3ooJ7HxGEUaD6Vkbv.csHigh entropy of concatenated method names: 'H0lJtP7Eb23TJ8tT3lWC5iBrceBpy32RNHrRSALfxWVQJH4mVLf840jvw9zu0t1p1kUkZBFHL', '_8p6D2eOua7E4LNsBYYSTyYIxUVTyD2eQofGpf6lJuTDvdYJUCfOhszvQQZEp2C51VquXQmLas', '_3qEsGGkKGgrLNGLx7kbqVCFNbhtrQe19s5p0L0NebguWXspQKxrSqsAjrpi1nO4RV8uBOxJGh', 'dGFyQDXfdZMf5iJ37S62bbjUUfZEwZ9JMzaC4H5vCLznDiLlXGB2KVkmS2ZHpg3gflY4ycP90', 'vRO7O9JwJIh3EKUWHc', 'LHoBFO3LmqgY9wydDh', 'hdBbOlRUF3Sp21W0ii', 'T9KiHmttzJ47A7nWbf', 'hbO2Lh457EtaQNMv0S', 'kL5xpKZ1vhbbzvLsDv'
            Source: System User.exe.0.dr, 0fBGF1CpRg1UNmcfwvuTflNlP8GdkwZnRq7B6ovb0NCIpIwxCTN54z6hiro9kQ7udsKWAyAby.csHigh entropy of concatenated method names: 'ncSdF1lQASQgWNbsRG13JHA8KTG3W8j3px87B1VErP4gQJV7Y6JrWhATUrI7nF8h5ROxeMJaE', 'MuAxHM1iJdEASMgW7v5vbbgnGYzJgmsQamPLEncI1Tg2lxTfjUWNspQu3NvNFVYa4hF8MoZCJ', 'vwU8UF3PYyGu2CvGCNzJl70pknKkPOmrzbkqIAGcycGx5Jcba3WBYyPuxQfSIMj1zzwl1BYSW', 'JIqpNVoczTWNzakhGXVmQg1hwf9foX63d0Utd5G7u0jTlkGFw9r952uyqBk0gxJUNppo1gwJp', 'Wm77I1E6hYQ7jIjduKjrJP3lT2sxOfexn2mjeR1JR90yFjEwWYWDeYXFLeGSCFJMSMyVwZNeg', 'mDpQyUjNbSbxbNbb0GedrBj9NBcG9jiJMP11Xwd4aRbL2W3p9HBl1ZG9RGCgNVjvX4SFZfQu7', 'qR5EYGkVmwBMtiFe5UEefsEEnPwsgewuh1rRRXywvMZ2Q6gQ2ujucI1kbh7yBvSQuP9man4DO', 'k7nj2jcvdTqvRJyVwDH8jE4TEMRvpW4zSYZa7u66n02i7fKjHpv9pO7f2YguO7XTM3xBeaI64', 'BC88mwxok36WEM6xHzMrBik0zehKS0YBlgKl0AI3buCDgMPmkFjeNwqdxZ50U5RynEXTL9Cze', '_7HUqDBGxxYhtgogN9TCuFiCAMhbxw9hR0kuFGD5JMVL8GwApskDw3kCYBL1PiM1SJ67zD6NRH'
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeFile created: C:\Users\user\AppData\Roaming\System User.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnkJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnkJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System UserJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System UserJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeMemory allocated: AB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeMemory allocated: 1A690000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: AB0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1A6D0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 7D0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1A440000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 17E0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1B1E0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: E50000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\System User.exeMemory allocated: 1A820000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeWindow / User API: threadDelayed 2406Jump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeWindow / User API: threadDelayed 7420Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6106Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3624Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8265Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1367Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8179Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1387Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3013
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6711
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exe TID: 8128Thread sleep time: -31359464925306218s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6296Thread sleep time: -7378697629483816s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7360Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576Thread sleep count: 8179 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576Thread sleep count: 1387 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7912Thread sleep time: -3689348814741908s >= -30000s
            Source: C:\Users\user\AppData\Roaming\System User.exe TID: 8116Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\System User.exe TID: 7268Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\System User.exe TID: 3052Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\System User.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\System User.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\System User.exeThread delayed: delay time: 922337203685477
            Source: W6s1vzcRdj.exe, 00000000.00000002.2957967126.000000001B497000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW act%SystemRoot%\system32\mswsock.dllame="Faulted"/>
            Source: W6s1vzcRdj.exe, 00000000.00000002.2916361778.0000000000A56000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\System User.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe'
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe'Jump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'Jump to behavior
            Bypasses PowerShell execution policy
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe'
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe'Jump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'W6s1vzcRdj.exe'Jump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'Jump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'Jump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"Jump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeQueries volume information: C:\Users\user\Desktop\W6s1vzcRdj.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\System User.exeQueries volume information: C:\Users\user\AppData\Roaming\System User.exe VolumeInformation
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: W6s1vzcRdj.exe, 00000000.00000002.2957967126.000000001B497000.00000004.00000020.00020000.00000000.sdmp, W6s1vzcRdj.exe, 00000000.00000002.2957967126.000000001B4DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\W6s1vzcRdj.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: W6s1vzcRdj.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.W6s1vzcRdj.exe.470000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1664144119.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: W6s1vzcRdj.exe PID: 3132, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: W6s1vzcRdj.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.W6s1vzcRdj.exe.470000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1664144119.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: W6s1vzcRdj.exe PID: 3132, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping221
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		21
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		1
            DLL Side-Loading            		21
            Registry Run Keys / Startup Folder            		131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture11
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1570402 Sample: W6s1vzcRdj.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 40 database-recommendations.gl.at.ply.gg 2->40 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 14 other signatures 2->50 8 W6s1vzcRdj.exe 1 6 2->8         started        13 System User.exe 2->13         started        15 System User.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 42 database-recommendations.gl.at.ply.gg 147.185.221.24, 17666, 49738, 49790 SALSGIVERUS United States 8->42 38 C:\Users\user\AppData\...\System User.exe, PE32 8->38 dropped 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->54 56 Protects its processes via BreakOnTermination flag 8->56 58 Bypasses PowerShell execution policy 8->58 60 2 other signatures 8->60 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 file6 signatures7 process8 signatures9 52 Loading BitLocker PowerShell Module 19->52 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            W6s1vzcRdj.exe82%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
            W6s1vzcRdj.exe100%AviraTR/Spy.Gen
            W6s1vzcRdj.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\System User.exe100%AviraTR/Spy.Gen
            C:\Users\user\AppData\Roaming\System User.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\System User.exe82%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            database-recommendations.gl.at.ply.gg100%Avira URL Cloudmalware
            http://csoft.com/pki/crls/MicRooCerAut_23.crl0Z0%Avira URL Cloudsafe
            http://www.microsoft.0%Avira URL Cloudsafe
            http://crl.micros0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            database-recommendations.gl.at.ply.gg
            		147.185.221.24
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              database-recommendations.gl.at.ply.ggtrue
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1765021988.00000264C54E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1848958322.0000020390072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2002787360.00000209D3392000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2192497645.000001D290070000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2060108741.000001D280229000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1739871018.00000264B5698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800033403.0000020380228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1912141324.00000209C354A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060108741.000001D280229000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2060108741.000001D280229000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1739871018.00000264B5698000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800033403.0000020380228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1912141324.00000209C354A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060108741.000001D280229000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/powershell.exe, 0000000B.00000002.2192497645.000001D290070000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1765021988.00000264C54E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1848958322.0000020390072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2002787360.00000209D3392000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2192497645.000001D290070000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2192497645.000001D290070000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://crl.micpowershell.exe, 00000004.00000002.1872679068.00000203FFCEB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2233490954.000001D2F2846000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2192497645.000001D290070000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.microsoft.powershell.exe, 00000004.00000002.1868034933.00000203FFB60000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.micft.cMicRosofpowershell.exe, 00000004.00000002.1872679068.00000203FFCEB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2233490954.000001D2F2846000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://aka.ms/pscore68powershell.exe, 00000001.00000002.1739871018.00000264B5471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800033403.0000020380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1912141324.00000209C3321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060108741.000001D280001000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameW6s1vzcRdj.exe, 00000000.00000002.2924667546.0000000002691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1739871018.00000264B5471000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1800033403.0000020380001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1912141324.00000209C3321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2060108741.000001D280001000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2060108741.000001D280229000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://csoft.com/pki/crls/MicRooCerAut_23.crl0Zpowershell.exe, 00000007.00000002.2028374378.00000209DB8FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://crl.microspowershell.exe, 00000001.00000002.1771166507.00000264CD990000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          147.185.221.24
                                          		database-recommendations.gl.at.ply.ggUnited States
                                          		12087SALSGIVERUStrue

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1570402
                                          Start date and time:2024-12-06 22:52:08 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 5m 52s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:20
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:W6s1vzcRdj.exe
                                          renamed because original name is a hash value
                                          Original Sample Name:c68421f86ca419eac8bb89fcd66b860db60ed4201c16bfa4159436bbbae9401e.exe
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@20/21@1/1
                                          EGA Information:
                                          • Successful, ratio: 11.1%
                                          HCA Information:
                                          • Successful, ratio: 98%
                                          • Number of executed functions: 88
                                          • Number of non-executed functions: 8
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target System User.exe, PID 1104 because it is empty
                                          • Execution Graph export aborted for target System User.exe, PID 4908 because it is empty
                                          • Execution Graph export aborted for target System User.exe, PID 7464 because it is empty
                                          • Execution Graph export aborted for target System User.exe, PID 8092 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 2260 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 7248 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 7488 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 7788 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: W6s1vzcRdj.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          16:53:02API Interceptor58x Sleep call for process: powershell.exe modified
                                          16:53:58API Interceptor35635x Sleep call for process: W6s1vzcRdj.exe modified
                                          21:53:58Task SchedulerRun new task: System User path: C:\Users\user\AppData\Roaming\System s>User.exe
                                          21:53:59AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run System User C:\Users\user\AppData\Roaming\System User.exe
                                          21:54:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run System User C:\Users\user\AppData\Roaming\System User.exe
                                          21:54:15AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          147.185.221.24u7e3vb5dfk.exeGet hashmaliciousXWormBrowse
                                            aOi4JyF92S.exeGet hashmaliciousXWormBrowse
                                              PG4w1WB9dE.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                a4BE6gJooT.exeGet hashmaliciousXWormBrowse
                                                  grK0Oh8p4Z.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                    SplpM1fFkV.exeGet hashmaliciousUnknownBrowse
                                                      msedge.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                        6ox7RfKeE3.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          sDKRz09zM7.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            miIs5mgmnJ.exeGet hashmaliciousAsyncRAT, XWormBrowse

                                                              Domains

                                                              No context

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              SALSGIVERUSu7e3vb5dfk.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.24
                                                              aOi4JyF92S.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.24
                                                              ozgpPwVAu1.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.22
                                                              PG4w1WB9dE.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                              • 147.185.221.24
                                                              a4BE6gJooT.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.24
                                                              grK0Oh8p4Z.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                              • 147.185.221.24
                                                              jSm8N1jXbk.exeGet hashmaliciousS400 RATBrowse
                                                              • 147.185.221.23
                                                              mpsl.elfGet hashmaliciousUnknownBrowse
                                                              • 147.184.149.5
                                                              i686.elfGet hashmaliciousUnknownBrowse
                                                              • 147.168.36.17
                                                              fUXttuyA0n.exeGet hashmaliciousSheetRatBrowse
                                                              • 147.185.221.19

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System User.exe.log

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\System User.exe
                                                              File Type:CSV text
                                                              Category:dropped
                                                              Size (bytes):654
                                                              Entropy (8bit):5.380476433908377
                                                              Encrypted:false
                                                              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                              MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                              SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                              SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                              SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                              Malicious:false
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:modified
                                                              Size (bytes):64
                                                              Entropy (8bit):0.34726597513537405
                                                              Encrypted:false
                                                              SSDEEP:3:Nlll:Nll
                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                              Malicious:false
                                                              Preview:@...e...........................................................

                                                              C:\Users\user\AppData\Local\Temp\Log.tmp

                                                              Download File
                                                              Process:C:\Users\user\Desktop\W6s1vzcRdj.exe
                                                              File Type:Generic INItialization configuration [WIN]
                                                              Category:dropped
                                                              Size (bytes):64
                                                              Entropy (8bit):3.6722687970803873
                                                              Encrypted:false
                                                              SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                              MD5:DE63D53293EBACE29F3F54832D739D40
                                                              SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                              SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                              SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                              Malicious:false
                                                              Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12pq3vmg.fis.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1dv0ngvp.h3s.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tv3etld.p5p.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5nerbscx.v1n.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bkiajzuf.pes.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_io4nm1cf.upf.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j5rwz5tt.qzb.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mthf3cyq.qr5.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nsumjaen.a4j.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oeebona4.vyf.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oyumfuzt.nar.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnwssrre.wz3.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_shdaomud.gvu.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ugn3zijf.50g.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xovy1jtk.hi2.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ywprxge4.4gn.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk

                                                              Download File
                                                              Process:C:\Users\user\Desktop\W6s1vzcRdj.exe
                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Dec 6 20:53:58 2024, mtime=Fri Dec 6 20:53:58 2024, atime=Fri Dec 6 20:53:58 2024, length=79872, window=hide
                                                              Category:dropped
                                                              Size (bytes):786
                                                              Entropy (8bit):5.0705227149144685
                                                              Encrypted:false
                                                              SSDEEP:12:85j+XgfXgf9lEh64fyWCUdY//ADJLnliK/NAjApDrHlyfHoKpSqfBmV:85j+yy9lAFX+YDFk+UApD87SqfBm
                                                              MD5:A6998173158262EB2D9966BF6441C796
                                                              SHA1:15091F50BDD10A147ADCD161849F5E903925CEEE
                                                              SHA-256:589D7538F34EDA18756EFE686596C3DF392DFA4678BEB30E5ED8832B97613C6F
                                                              SHA-512:40B3B9EFB369226E59C4C14AF8B74BF1155694D0F8E8490C3A943AA2FD1C543849980D76E2F9043CCCD742A735B8400EA45667C144DE79681DE4BFE65099879E
                                                              Malicious:false
                                                              Preview:L..................F.... ....^;Z)H...^;Z)H...^;Z)H...8........................:..DG..Yr?.D..U..k0.&...&......vk.v......2)H...\ZZ)H......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.............................%..A.p.p.D.a.t.a...B.V.1......Y....Roaming.@......CW.^.Y..............................8.R.o.a.m.i.n.g.....l.2..8...Y.. .SYSTEM~1.EXE..P......Y...Y...............................S.y.s.t.e.m. .U.s.e.r...e.x.e.......]...............-.......\............1.......C:\Users\user\AppData\Roaming\System User.exe........\.....\.....\.....\.....\.S.y.s.t.e.m. .U.s.e.r...e.x.e.`.......X.......580913...........hT..CrF.f4... .B.......,.......hT..CrF.f4... .B.......,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                              C:\Users\user\AppData\Roaming\System User.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\W6s1vzcRdj.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):79872
                                                              Entropy (8bit):5.992632669041094
                                                              Encrypted:false
                                                              SSDEEP:1536:54YizZ+hNRYHwB0+bRlbUp3RiUcjqIg6IRHYJ86OBXXk20:5CVW63+bXbgBiBqvHYu6O5XD0
                                                              MD5:919023267A38B0B6641B26319901FDDF
                                                              SHA1:DBD25F981353CE0F824FB441A2A0DC2441BDC8DA
                                                              SHA-256:C68421F86CA419EAC8BB89FCD66B860DB60ED4201C16BFA4159436BBBAE9401E
                                                              SHA-512:ECE9275342A3986EF2AB60E0128CA055EA7E1352C13C05367B62E1296DBF4105D757CE0181A79888F1144F14379DC15518AAC87BAC81DA093036BA1A243BBFBF
                                                              Malicious:true
                                                              Yara Hits:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: ditekSHen
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 82%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Pg.............................M... ...`....@.. ....................................@..................................L..S....`..n............................................................................ ............... ..H............text....-... ...................... ..`.rsrc...n....`.......0..............@..@.reloc...............6..............@..B.................L......H....... `..........&.....................................................(....*.r...p*. .O..*..(....*.ry..p*. ..m.*.s.........s.........s.........s.........*.r...p*. .3 .*.ri..p*. ~.H.*.r...p*. .8F.*.rY..p*. J...*.r...p*. '^..*..((...*.rh..p*. ....*.r...p*. .._.*"(....+.*&(....&+.*.+5sZ... .... .'..o[...(,...~....-.(G...(9...~....o\...&.-.*.r...p*. o...*.r...p*. S...*.r...p*. .(T.*.r...p*. l...*.r...p*. {...*.rv..p*..............j..................s]..............~.........*

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):5.992632669041094
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Windows Screen Saver (13104/52) 0.07%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              File name:W6s1vzcRdj.exe
                                                              File size:79'872 bytes
                                                              MD5:919023267a38b0b6641b26319901fddf
                                                              SHA1:dbd25f981353ce0f824fb441a2a0dc2441bdc8da
                                                              SHA256:c68421f86ca419eac8bb89fcd66b860db60ed4201c16bfa4159436bbbae9401e
                                                              SHA512:ece9275342a3986ef2ab60e0128ca055ea7e1352c13c05367b62e1296dbf4105d757ce0181a79888f1144f14379dc15518aac87bac81da093036ba1a243bbfbf
                                                              SSDEEP:1536:54YizZ+hNRYHwB0+bRlbUp3RiUcjqIg6IRHYJ86OBXXk20:5CVW63+bXbgBiBqvHYu6O5XD0
                                                              TLSH:F2738D1C3BE68119E1FF6FB19EE67122CB75F6631903D64F14C5028A1213A8ACE517FA
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Pg.............................M... ...`....@.. ....................................@................................

                                                              File Icon

                                                              Icon Hash:90cececece8e8eb0

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x414d0e
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x6750D2E5 [Wed Dec 4 22:08:37 2024 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x14cb80x53.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x56e.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000x12d140x12e00e1fea38e684d6517db8b6b9fd453d398False0.6093361961920529SysEx File - Sony6.054825933028938IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rsrc0x160000x56e0x600ccabdfdbe83fafb038ee968dc3dff275False0.375data3.92477228520332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x180000xc0x2006e07cd719961c00e87f1a2c6d1f5e2a0False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_VERSION0x160a00x2e4data0.37432432432432433
                                                              RT_MANIFEST0x163840x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2024-12-06T22:54:57.626858+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449843147.185.221.2417666TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 6, 2024 22:54:00.151846886 CET4973817666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:00.271758080 CET1766649738147.185.221.24192.168.2.4
                                                              Dec 6, 2024 22:54:00.275533915 CET4973817666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:00.403845072 CET4973817666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:00.555198908 CET1766649738147.185.221.24192.168.2.4
                                                              Dec 6, 2024 22:54:14.692301035 CET4973817666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:14.812024117 CET1766649738147.185.221.24192.168.2.4
                                                              Dec 6, 2024 22:54:22.200294971 CET1766649738147.185.221.24192.168.2.4
                                                              Dec 6, 2024 22:54:22.201533079 CET4973817666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:23.954634905 CET4973817666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:23.959511995 CET4979017666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:24.074378014 CET1766649738147.185.221.24192.168.2.4
                                                              Dec 6, 2024 22:54:24.079288006 CET1766649790147.185.221.24192.168.2.4
                                                              Dec 6, 2024 22:54:24.079438925 CET4979017666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:24.108078957 CET4979017666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:24.227910995 CET1766649790147.185.221.24192.168.2.4
                                                              Dec 6, 2024 22:54:35.393053055 CET4979017666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:35.512789965 CET1766649790147.185.221.24192.168.2.4
                                                              Dec 6, 2024 22:54:45.981945038 CET1766649790147.185.221.24192.168.2.4
                                                              Dec 6, 2024 22:54:45.982033014 CET4979017666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:45.985755920 CET4979017666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:45.986826897 CET4984317666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:46.105541945 CET1766649790147.185.221.24192.168.2.4
                                                              Dec 6, 2024 22:54:46.106530905 CET1766649843147.185.221.24192.168.2.4
                                                              Dec 6, 2024 22:54:46.106610060 CET4984317666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:46.139398098 CET4984317666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:46.259210110 CET1766649843147.185.221.24192.168.2.4
                                                              Dec 6, 2024 22:54:57.626857996 CET4984317666192.168.2.4147.185.221.24
                                                              Dec 6, 2024 22:54:57.746622086 CET1766649843147.185.221.24192.168.2.4
                                                              Dec 6, 2024 22:55:07.998001099 CET1766649843147.185.221.24192.168.2.4
                                                              Dec 6, 2024 22:55:07.998079062 CET4984317666192.168.2.4147.185.221.24

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Dec 6, 2024 22:53:59.887026072 CET6449253192.168.2.41.1.1.1
                                                              Dec 6, 2024 22:54:00.144112110 CET53644921.1.1.1192.168.2.4

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Dec 6, 2024 22:53:59.887026072 CET192.168.2.41.1.1.10x3ef8Standard query (0)database-recommendations.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Dec 6, 2024 22:54:00.144112110 CET1.1.1.1192.168.2.40x3ef8No error (0)database-recommendations.gl.at.ply.gg147.185.221.24A (IP address)IN (0x0001)false

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:16:52:58
                                                              Start date:06/12/2024
                                                              Path:C:\Users\user\Desktop\W6s1vzcRdj.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\Desktop\W6s1vzcRdj.exe"
                                                              Imagebase:0x470000
                                                              File size:79'872 bytes
                                                              MD5 hash:919023267A38B0B6641B26319901FDDF
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1664144119.0000000000472000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1664144119.0000000000472000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                              Reputation:low
                                                              Has exited:false

                                                              General

                                                              Target ID:1
                                                              Start time:16:53:01
                                                              Start date:06/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\W6s1vzcRdj.exe'
                                                              Imagebase:0x7ff788560000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:2
                                                              Start time:16:53:01
                                                              Start date:06/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:4
                                                              Start time:16:53:10
                                                              Start date:06/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'W6s1vzcRdj.exe'
                                                              Imagebase:0x7ff788560000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:16:53:10
                                                              Start date:06/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:7
                                                              Start time:16:53:19
                                                              Start date:06/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User.exe'
                                                              Imagebase:0x7ff788560000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:8
                                                              Start time:16:53:19
                                                              Start date:06/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:11
                                                              Start time:16:53:36
                                                              Start date:06/12/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User.exe'
                                                              Imagebase:0x7ff788560000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:12
                                                              Start time:16:53:36
                                                              Start date:06/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:13
                                                              Start time:16:53:58
                                                              Start date:06/12/2024
                                                              Path:C:\Windows\System32\schtasks.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User.exe"
                                                              Imagebase:0x7ff76f990000
                                                              File size:235'008 bytes
                                                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:14
                                                              Start time:16:53:58
                                                              Start date:06/12/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff7699e0000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:15
                                                              Start time:16:53:58
                                                              Start date:06/12/2024
                                                              Path:C:\Users\user\AppData\Roaming\System User.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                              Imagebase:0x370000
                                                              File size:79'872 bytes
                                                              MD5 hash:919023267A38B0B6641B26319901FDDF
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\System User.exe, Author: ditekSHen
                                                              Antivirus matches:
                                                              • Detection: 100%, Avira
                                                              • Detection: 100%, Joe Sandbox ML
                                                              • Detection: 82%, ReversingLabs
                                                              Has exited:true

                                                              General

                                                              Target ID:16
                                                              Start time:16:54:07
                                                              Start date:06/12/2024
                                                              Path:C:\Users\user\AppData\Roaming\System User.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                              Imagebase:0x190000
                                                              File size:79'872 bytes
                                                              MD5 hash:919023267A38B0B6641B26319901FDDF
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:17
                                                              Start time:16:54:15
                                                              Start date:06/12/2024
                                                              Path:C:\Users\user\AppData\Roaming\System User.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                              Imagebase:0xf90000
                                                              File size:79'872 bytes
                                                              MD5 hash:919023267A38B0B6641B26319901FDDF
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:19
                                                              Start time:16:55:00
                                                              Start date:06/12/2024
                                                              Path:C:\Users\user\AppData\Roaming\System User.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Roaming\System User.exe"
                                                              Imagebase:0x500000
                                                              File size:79'872 bytes
                                                              MD5 hash:919023267A38B0B6641B26319901FDDF
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:20.2%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:11
                                                                Total number of Limit Nodes:1
                                                                execution_graph 4274 7ffd9b88149f 4275 7ffd9b8814cd 4274->4275 4276 7ffd9b883191 RtlSetProcessIsCritical 4275->4276 4278 7ffd9b8814db 4275->4278 4277 7ffd9b8831f2 4276->4277 4261 7ffd9b8830f8 4262 7ffd9b883101 RtlSetProcessIsCritical 4261->4262 4264 7ffd9b8831f2 4262->4264 4265 7ffd9b883658 4266 7ffd9b883661 SetWindowsHookExW 4265->4266 4268 7ffd9b883731 4266->4268

                                                                Executed Functions

                                                                Function 00007FFD9B888586 Relevance: 3.0, Strings: 2, Instructions: 470COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 7ffd9b888586-7ffd9b888593 1 7ffd9b888595-7ffd9b88859d 0->1 2 7ffd9b88859e-7ffd9b888667 0->2 1->2 5 7ffd9b888669-7ffd9b888672 2->5 6 7ffd9b8886d3 2->6 5->6 7 7ffd9b888674-7ffd9b888680 5->7 8 7ffd9b8886d5-7ffd9b8886fa 6->8 9 7ffd9b8886b9-7ffd9b8886d1 7->9 10 7ffd9b888682-7ffd9b888694 7->10 15 7ffd9b888766 8->15 16 7ffd9b8886fc-7ffd9b888705 8->16 9->8 11 7ffd9b888696 10->11 12 7ffd9b888698-7ffd9b8886ab 10->12 11->12 12->12 14 7ffd9b8886ad-7ffd9b8886b5 12->14 14->9 18 7ffd9b888768-7ffd9b888810 15->18 16->15 17 7ffd9b888707-7ffd9b888713 16->17 19 7ffd9b888715-7ffd9b888727 17->19 20 7ffd9b88874c-7ffd9b888764 17->20 29 7ffd9b88887e 18->29 30 7ffd9b888812-7ffd9b88881c 18->30 21 7ffd9b888729 19->21 22 7ffd9b88872b-7ffd9b88873e 19->22 20->18 21->22 22->22 24 7ffd9b888740-7ffd9b888748 22->24 24->20 32 7ffd9b888880-7ffd9b8888a9 29->32 30->29 31 7ffd9b88881e-7ffd9b88882b 30->31 33 7ffd9b88882d-7ffd9b88883f 31->33 34 7ffd9b888864-7ffd9b88887c 31->34 39 7ffd9b8888ab-7ffd9b8888b6 32->39 40 7ffd9b888913 32->40 35 7ffd9b888841 33->35 36 7ffd9b888843-7ffd9b888856 33->36 34->32 35->36 36->36 38 7ffd9b888858-7ffd9b888860 36->38 38->34 39->40 42 7ffd9b8888b8-7ffd9b8888c6 39->42 41 7ffd9b888915-7ffd9b8889bb 40->41 51 7ffd9b8889bd 41->51 52 7ffd9b8889c3-7ffd9b8889e0 41->52 43 7ffd9b8888c8-7ffd9b8888da 42->43 44 7ffd9b8888ff-7ffd9b888911 42->44 46 7ffd9b8888dc 43->46 47 7ffd9b8888de-7ffd9b8888f1 43->47 44->41 46->47 47->47 48 7ffd9b8888f3-7ffd9b8888fb 47->48 48->44 51->52 55 7ffd9b8889e9-7ffd9b888a28 call 7ffd9b888a44 52->55 59 7ffd9b888a2a 55->59 60 7ffd9b888a2f-7ffd9b888a43 55->60 59->60
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2965045618.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_W6s1vzcRdj.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ?SDO$?SDO
                                                                • API String ID: 0-48701825
                                                                • Opcode ID: 9ccd99ff9e063acb4a28b28274b8b4131397b4fa213ac411d0203031bdba1bf5
                                                                • Instruction ID: 8137c0919fb5f46fbacf72e9be7bec7b2c373864ea81b67ed8893080cc02d7bb
                                                                • Opcode Fuzzy Hash: 9ccd99ff9e063acb4a28b28274b8b4131397b4fa213ac411d0203031bdba1bf5
                                                                • Instruction Fuzzy Hash: 1AF1B830619A8E8FEBA8DF28C8557E937E1FF58310F04426EE85DC7295DB3499458B82
                                                                Function 00007FFD9B889332 Relevance: 3.0, Strings: 2, Instructions: 456COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 61 7ffd9b889332-7ffd9b88933f 62 7ffd9b88934a-7ffd9b889417 61->62 63 7ffd9b889341-7ffd9b889349 61->63 66 7ffd9b889419-7ffd9b889422 62->66 67 7ffd9b889483 62->67 63->62 66->67 68 7ffd9b889424-7ffd9b889430 66->68 69 7ffd9b889485-7ffd9b8894aa 67->69 70 7ffd9b889469-7ffd9b889481 68->70 71 7ffd9b889432-7ffd9b889444 68->71 75 7ffd9b889516 69->75 76 7ffd9b8894ac-7ffd9b8894b5 69->76 70->69 73 7ffd9b889446 71->73 74 7ffd9b889448-7ffd9b88945b 71->74 73->74 74->74 77 7ffd9b88945d-7ffd9b889465 74->77 79 7ffd9b889518-7ffd9b88953d 75->79 76->75 78 7ffd9b8894b7-7ffd9b8894c3 76->78 77->70 80 7ffd9b8894c5-7ffd9b8894d7 78->80 81 7ffd9b8894fc-7ffd9b889514 78->81 86 7ffd9b8895ab 79->86 87 7ffd9b88953f-7ffd9b889549 79->87 82 7ffd9b8894d9 80->82 83 7ffd9b8894db-7ffd9b8894ee 80->83 81->79 82->83 83->83 85 7ffd9b8894f0-7ffd9b8894f8 83->85 85->81 88 7ffd9b8895ad-7ffd9b8895db 86->88 87->86 89 7ffd9b88954b-7ffd9b889558 87->89 96 7ffd9b88964b 88->96 97 7ffd9b8895dd-7ffd9b8895e8 88->97 90 7ffd9b88955a-7ffd9b88956c 89->90 91 7ffd9b889591-7ffd9b8895a9 89->91 93 7ffd9b88956e 90->93 94 7ffd9b889570-7ffd9b889583 90->94 91->88 93->94 94->94 95 7ffd9b889585-7ffd9b88958d 94->95 95->91 99 7ffd9b88964d-7ffd9b889725 96->99 97->96 98 7ffd9b8895ea-7ffd9b8895f8 97->98 100 7ffd9b8895fa-7ffd9b88960c 98->100 101 7ffd9b889631-7ffd9b889649 98->101 109 7ffd9b88972b-7ffd9b88973a 99->109 103 7ffd9b88960e 100->103 104 7ffd9b889610-7ffd9b889623 100->104 101->99 103->104 104->104 106 7ffd9b889625-7ffd9b88962d 104->106 106->101 110 7ffd9b88973c 109->110 111 7ffd9b889742-7ffd9b8897a4 call 7ffd9b8897c0 109->111 110->111 118 7ffd9b8897a6 111->118 119 7ffd9b8897ab-7ffd9b8897bf 111->119 118->119
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2965045618.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_W6s1vzcRdj.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: ?SDO$?SDO
                                                                • API String ID: 0-48701825
                                                                • Opcode ID: 1ab62d24e6d4132f5f47beefa5331af10f844cca3bddf44068028b51c3224709
                                                                • Instruction ID: 8dfc3d87022835b2e62b8483f5cbe20503fbb4d898de45c7de78ca6f50164d94
                                                                • Opcode Fuzzy Hash: 1ab62d24e6d4132f5f47beefa5331af10f844cca3bddf44068028b51c3224709
                                                                • Instruction Fuzzy Hash: FEE1E630A09A8E8FEBA8DF28C8597E937E1FF58310F04426EE85DC7295DF7499448781
                                                                Function 00007FFD9B881679 Relevance: 2.1, Strings: 1, Instructions: 814COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 159 7ffd9b881679-7ffd9b881688 160 7ffd9b8816d0-7ffd9b8816f0 159->160 161 7ffd9b88168a-7ffd9b8816a7 159->161 163 7ffd9b881f18-7ffd9b881f5f 160->163 164 7ffd9b8816f6-7ffd9b881704 call 7ffd9b880558 160->164 165 7ffd9b8816a9-7ffd9b8816ac 161->165 175 7ffd9b881709-7ffd9b881825 call 7ffd9b880558 * 7 call 7ffd9b880670 164->175 166 7ffd9b88164d-7ffd9b8816a7 call 7ffd9b881160 165->166 167 7ffd9b8816ac 165->167 166->165 167->166 171 7ffd9b8816ae-7ffd9b8816b5 167->171 212 7ffd9b88182e call 7ffd9b880490 175->212 213 7ffd9b881827 175->213 215 7ffd9b881833-7ffd9b88189f call 7ffd9b880358 call 7ffd9b880368 212->215 213->212 225 7ffd9b8818b2-7ffd9b8818c2 215->225 226 7ffd9b8818a1-7ffd9b8818ab 215->226 229 7ffd9b8818c4-7ffd9b8818e3 call 7ffd9b880358 225->229 230 7ffd9b8818ea 225->230 226->225 229->230 232 7ffd9b8818f4-7ffd9b88190a 230->232 236 7ffd9b88190c-7ffd9b881916 call 7ffd9b880378 232->236 237 7ffd9b88191b-7ffd9b881932 232->237 236->237 240 7ffd9b88193a-7ffd9b88195a 237->240 242 7ffd9b881962-7ffd9b881965 240->242 243 7ffd9b88196f-7ffd9b88197f call 7ffd9b880e48 242->243 247 7ffd9b881a1f-7ffd9b881aad 243->247 248 7ffd9b881985-7ffd9b881a1a 243->248 268 7ffd9b881ab4-7ffd9b881ad1 call 7ffd9b881190 call 7ffd9b881158 247->268 248->268 273 7ffd9b881ad6-7ffd9b881ae7 268->273 275 7ffd9b881af1-7ffd9b881b09 call 7ffd9b880388 273->275 277 7ffd9b881b0e-7ffd9b881b12 275->277 278 7ffd9b881b1e-7ffd9b881b30 call 7ffd9b880398 277->278 281 7ffd9b881b3a-7ffd9b881b61 278->281 283 7ffd9b881b68-7ffd9b881b74 281->283 284 7ffd9b881b80-7ffd9b881bb0 283->284 289 7ffd9b881bbb-7ffd9b881be3 284->289 290 7ffd9b881bea-7ffd9b881bf2 289->290 291 7ffd9b881bf4-7ffd9b881c27 290->291 292 7ffd9b881c40-7ffd9b881c73 290->292 291->292 299 7ffd9b881c29-7ffd9b881c36 291->299 302 7ffd9b881c98-7ffd9b881cc8 292->302 303 7ffd9b881c75-7ffd9b881c96 292->303 299->292 304 7ffd9b881c38-7ffd9b881c3e 299->304 306 7ffd9b881cd0-7ffd9b881d07 302->306 303->306 304->292 312 7ffd9b881d2c-7ffd9b881d5c 306->312 313 7ffd9b881d09-7ffd9b881d2a 306->313 315 7ffd9b881d64-7ffd9b881d65 312->315 313->315 316 7ffd9b881d66-7ffd9b881d73 315->316 317 7ffd9b881d75-7ffd9b881da0 316->317 318 7ffd9b881da7-7ffd9b881db2 317->318 318->316 320 7ffd9b881db4-7ffd9b881dc5 call 7ffd9b8803a8 318->320 322 7ffd9b881dca-7ffd9b881dd0 320->322 323 7ffd9b881dd7-7ffd9b881dd8 call 7ffd9b880610 322->323 325 7ffd9b881ddd-7ffd9b881e27 323->325 330 7ffd9b881e2e-7ffd9b881e2f 325->330 331 7ffd9b881e36-7ffd9b881e3c call 7ffd9b880e48 330->331 334 7ffd9b881e44-7ffd9b881e46 331->334 335 7ffd9b881e4d-7ffd9b881ee6 334->335 336 7ffd9b881e48 call 7ffd9b8810d8 334->336 336->335
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2965045618.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_W6s1vzcRdj.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: CAM_^
                                                                • API String ID: 0-3136481660
                                                                • Opcode ID: ab5a3c85b9c352418a415b443db67b64e1a4d88e29ecb0092bd1dcde0bb54f6d
                                                                • Instruction ID: 2e302303ff582dadf80a920a9ceaa139788b25bb4c279bc88204b5019edeb520
                                                                • Opcode Fuzzy Hash: ab5a3c85b9c352418a415b443db67b64e1a4d88e29ecb0092bd1dcde0bb54f6d
                                                                • Instruction Fuzzy Hash: 6E42A361B29E494FEBA8FB6C887567976D2EF9C300F4405BDE05DC32D6DE38A8418741
                                                                Function 00007FFD9B8816B9 Relevance: 1.9, Strings: 1, Instructions: 667COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2965045618.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_W6s1vzcRdj.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: CAM_^
                                                                • API String ID: 0-3136481660
                                                                • Opcode ID: 64977a7d497fb29caef38dbf370ae4c3d1a8c107bcab005d6a75e25b0d751952
                                                                • Instruction ID: 31dde1cd256f8fb8708d583c8259ab847fe86a32ee0318c711796a739f1733b4
                                                                • Opcode Fuzzy Hash: 64977a7d497fb29caef38dbf370ae4c3d1a8c107bcab005d6a75e25b0d751952
                                                                • Instruction Fuzzy Hash: 4922B561B29E494FEBA8FB6C887967972D2EF9C300F4505BDE05EC32DADD3868418741
                                                                Function 00007FFD9B88204D Relevance: .2, Instructions: 193COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2965045618.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_W6s1vzcRdj.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6e30979a83ef114cd15f91e3c152e345e302a62248aa5e4690fd90b588adbbb9
                                                                • Instruction ID: 19a6d5a2b4f4e89e3648728974b8055dae34019885033c8615730f951e74b795
                                                                • Opcode Fuzzy Hash: 6e30979a83ef114cd15f91e3c152e345e302a62248aa5e4690fd90b588adbbb9
                                                                • Instruction Fuzzy Hash: 1651EF10B1EAC90FD7A6AFB848756657FE1DF8B215B1900FBE099C71E7DD185806C342
                                                                Function 00007FFD9B88149F Relevance: 1.7, APIs: 1, Instructions: 227COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2965045618.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_W6s1vzcRdj.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6974c74f300ddcfc2d8c87cb4f10667c35d77811cd3a8749b1cfbff14401bc7f
                                                                • Instruction ID: e48966c54f43ecdd010a641872bb691046ec3b95f746837cb0c569fdf92e59dd
                                                                • Opcode Fuzzy Hash: 6974c74f300ddcfc2d8c87cb4f10667c35d77811cd3a8749b1cfbff14401bc7f
                                                                • Instruction Fuzzy Hash: 1F513A32B09A2C8FD714AB5DE8556F9B7E0EF96322F04037FD08AC3182DE65644687D1
                                                                Function 00007FFD9B8830F8 Relevance: 1.7, APIs: 1, Instructions: 153COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 626 7ffd9b8830f8-7ffd9b883134 631 7ffd9b883187-7ffd9b8831f0 RtlSetProcessIsCritical 626->631 632 7ffd9b883136-7ffd9b883186 626->632 635 7ffd9b8831f2 631->635 636 7ffd9b8831f8-7ffd9b88322d 631->636 632->631 635->636
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2965045618.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_W6s1vzcRdj.jbxd
                                                                Similarity
                                                                • API ID: CriticalProcess
                                                                • String ID:
                                                                • API String ID: 2695349919-0
                                                                • Opcode ID: c8be1a868adf7f14d53f845f22522e0ae025fb94033d2cae6c17385c43feda07
                                                                • Instruction ID: 06e975d8c145524eecce3542a9177594225972a5b1be57f22d6c7cde1160a6bc
                                                                • Opcode Fuzzy Hash: c8be1a868adf7f14d53f845f22522e0ae025fb94033d2cae6c17385c43feda07
                                                                • Instruction Fuzzy Hash: EC41683190DA888FD729DB9CD8556F9BBE0EF55310F04403FE09EC3192CB34A9428B81
                                                                Function 00007FFD9B883658 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 639 7ffd9b883658-7ffd9b88365f 640 7ffd9b883661-7ffd9b883669 639->640 641 7ffd9b88366a-7ffd9b8836dd 639->641 640->641 645 7ffd9b8836e3-7ffd9b8836f0 641->645 646 7ffd9b883769-7ffd9b88376d 641->646 647 7ffd9b8836f2-7ffd9b88372f SetWindowsHookExW 645->647 646->647 649 7ffd9b883731 647->649 650 7ffd9b883737-7ffd9b883768 647->650 649->650
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2965045618.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_W6s1vzcRdj.jbxd
                                                                Similarity
                                                                • API ID: HookWindows
                                                                • String ID:
                                                                • API String ID: 2559412058-0
                                                                • Opcode ID: a5c68ac8c0603882586df04eb307f7a365c802ab707e7c893e47952ab8f51418
                                                                • Instruction ID: 5298fc73ca8fbf6ddd5e97a616b342645744435dc99e686865686ff0c906ebe9
                                                                • Opcode Fuzzy Hash: a5c68ac8c0603882586df04eb307f7a365c802ab707e7c893e47952ab8f51418
                                                                • Instruction Fuzzy Hash: 5B41F630A1CA4D4FDB58EB5CD8166F9BBE1EB59321F00427EE059C3292DA74A81287C1

                                                                Non-executed Functions

                                                                Function 00007FFD9B880EFA Relevance: 2.8, Strings: 2, Instructions: 287COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2965045618.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffd9b880000_W6s1vzcRdj.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 4M_^$5M_^
                                                                • API String ID: 0-4266852409
                                                                • Opcode ID: 45b65ed67e3e38628e4aa1a51975136d1d241154c24b43c2290daa2fe28e57ab
                                                                • Instruction ID: f7aac34372a8f28f840a6bab13ba6d9a81f435dc2f331945e82035cef3b45ba0
                                                                • Opcode Fuzzy Hash: 45b65ed67e3e38628e4aa1a51975136d1d241154c24b43c2290daa2fe28e57ab
                                                                • Instruction Fuzzy Hash: C1811763B4D5A64FD715B7B8BC629F93751DF4133870943F7D0AD8B0E3AC9820468A92

                                                                Executed Functions

                                                                Function 00007FFD9B956605 Relevance: .4, Instructions: 440COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1775126625.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1b165892818bfa617f1ad320617067ccfccc933db1d2742783fabbb66aafa9c8
                                                                • Instruction ID: 022546f8eb278e7354f764c8af4f821c992dbdb340ac7960899a5cb40c5136b9
                                                                • Opcode Fuzzy Hash: 1b165892818bfa617f1ad320617067ccfccc933db1d2742783fabbb66aafa9c8
                                                                • Instruction Fuzzy Hash: A3D13872A1FBCE2FEB6597E848755B57BA0EF16210B1901FED85CC70E3DA58A805C341
                                                                Function 00007FFD9B88A039 Relevance: .3, Instructions: 322COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1773868348.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9dbacf7e48a0921ade299253668ed9b9c762c27a60b02e239a2ddccf4325874d
                                                                • Instruction ID: 85e7cc383f88624f20f5df6433f5155824cf06ffbab58aa9c9282e8c67da9909
                                                                • Opcode Fuzzy Hash: 9dbacf7e48a0921ade299253668ed9b9c762c27a60b02e239a2ddccf4325874d
                                                                • Instruction Fuzzy Hash: D541D462A0F7C94FD712AB6898724E43FB0EF57615B0901F7C0E5CB0E3E86515498793
                                                                Function 00007FFD9B889748 Relevance: .1, Instructions: 132COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1773868348.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1677704bd514a293d1010d46d3d084c6becefa9bb7bdc1d032b5107432f33d51
                                                                • Instruction ID: 9482ae97f8aa5c5d2af9066fd51494f04a171f62d8236f92b23fd3058f84b3e9
                                                                • Opcode Fuzzy Hash: 1677704bd514a293d1010d46d3d084c6becefa9bb7bdc1d032b5107432f33d51
                                                                • Instruction Fuzzy Hash: 59412B71A1DF4C8FDB18DF5CA84A6A87BE0FB59310F00412FE45983252DB30A815CBC2
                                                                Function 00007FFD9B88A62C Relevance: .1, Instructions: 100COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1773868348.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4dceb22e352e1c38331d83025c0e282809f696b45e01de50e4dfd46cbc0d6d2a
                                                                • Instruction ID: 436c2053046ff1ceacb7d79114cda9b2da9c9dfc622a5a8259032526b1643626
                                                                • Opcode Fuzzy Hash: 4dceb22e352e1c38331d83025c0e282809f696b45e01de50e4dfd46cbc0d6d2a
                                                                • Instruction Fuzzy Hash: 6821F630A0CB4C4FDB59DBAC984A7E97FE0EB9A321F04416BD048C3196DA74941ACB92
                                                                Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1773868348.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                • Instruction ID: 2fad08866fefb52328957f3e00cff12e708ace335f53a13def62d07b3219f6bf
                                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                • Instruction Fuzzy Hash: 4D01A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41
                                                                Function 00007FFD9B95414D Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1775126625.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f69708b3e679aa14e79a9f3830c39709c1e2b18625d2d8513c0fae1ab36bb8f3
                                                                • Instruction ID: cacc583c1661e489644ec30c7eab9ae47530d87d8fe9fd45ce6ac0de2e718c7f
                                                                • Opcode Fuzzy Hash: f69708b3e679aa14e79a9f3830c39709c1e2b18625d2d8513c0fae1ab36bb8f3
                                                                • Instruction Fuzzy Hash: E0F0E932B4D5094FD7A8EB9CE4519E473E0EF64320B1100BAE05DC71B7CA25EC40C745
                                                                Function 00007FFD9B76E41F Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1773046930.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7ffd9b76d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d56f4bddb564cff3ae0eaed41149a3ffe2d2b29172fa5166b543b54159a42f63
                                                                • Instruction ID: d5ac2767a45fc8c75a1476fd2910ce270e44eb6b7ccae74ca79d36cdee65383d
                                                                • Opcode Fuzzy Hash: d56f4bddb564cff3ae0eaed41149a3ffe2d2b29172fa5166b543b54159a42f63
                                                                • Instruction Fuzzy Hash: 25F0DA30619E08DFCBA4EF2EC485D123BE1FB983107510658E45EC7265D734F891CB91
                                                                Function 00007FFD9B954400 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1775126625.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1ba78c1ac94e44744a7c1fb43680fb0051af5e734e40b9758d2c8b0680dd4976
                                                                • Instruction ID: ef18a2f41b6fe7f427a27fea50e759f2715153bc227ce8ebf75cd1d5d6209526
                                                                • Opcode Fuzzy Hash: 1ba78c1ac94e44744a7c1fb43680fb0051af5e734e40b9758d2c8b0680dd4976
                                                                • Instruction Fuzzy Hash: 3BF0BE32A8E5498FD7A8EA9CE0609A877E0FF0432071200BAE05DCB1A7DA25BC40C740
                                                                Function 00007FFD9B9541D1 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1775126625.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction ID: ef0e477c3a8d88fbc3791122f3f41a252fcdd9f92c2fd245001ca178e7a9b1aa
                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction Fuzzy Hash: A8E0123175C4089FDAB8DA8CE0519A973E1EBA832171141BBD14EC7675CA21ED518B80

                                                                Non-executed Functions

                                                                Function 00007FFD9B888BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1773868348.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: L_^6$L_^<$L_^F$L_^I$L_^J
                                                                • API String ID: 0-1031638419
                                                                • Opcode ID: 2a3fab70d900d808d9f0fae170b1816a9de1b700bcfc3e5ddf2760bbd5851b29
                                                                • Instruction ID: e61fec6f2fdc8ca0d58765bdd7474afbc624d9f36ce0de74d903496018a01a16
                                                                • Opcode Fuzzy Hash: 2a3fab70d900d808d9f0fae170b1816a9de1b700bcfc3e5ddf2760bbd5851b29
                                                                • Instruction Fuzzy Hash: 6C2144B77084161FD30677AEBC019EC7381CBD427634891B3D368CB553EA94A08B8AD1
                                                                Function 00007FFD9B888995 Relevance: 5.1, Strings: 4, Instructions: 133COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000001.00000002.1773868348.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: L_^$L_^$L_^$L_^
                                                                • API String ID: 0-2357752022
                                                                • Opcode ID: 89a83441f674402f62ed086cbffd2b0ed21bc037a8f017eb061df4274c41252e
                                                                • Instruction ID: 60bce8f072d8a6ddbf25311d6c7a64da140333378f0ffc4fc9a1966d0015c761
                                                                • Opcode Fuzzy Hash: 89a83441f674402f62ed086cbffd2b0ed21bc037a8f017eb061df4274c41252e
                                                                • Instruction Fuzzy Hash: 6D419452B0FAC61FE356472A8C660456FA0EF53754B4A53F6C0E54F0A3ED2829478242

                                                                Executed Functions

                                                                Function 00007FFD9B86644D Relevance: .7, Instructions: 711COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1875345551.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b860000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9e26653cd2f73ec9c0f95b02f9e939803f47af3b610d245d74b5e8666e3757a0
                                                                • Instruction ID: 5fcc23dd405f0f42fcbc2103d568d520e5dee25f2f164a1822d949e78124ddae
                                                                • Opcode Fuzzy Hash: 9e26653cd2f73ec9c0f95b02f9e939803f47af3b610d245d74b5e8666e3757a0
                                                                • Instruction Fuzzy Hash: E3D17170A18A8DCFDF98DF58C465AE97BE1FF68300F55416AD409D72A5CB34E881CB80
                                                                Function 00007FFD9B936605 Relevance: .4, Instructions: 441COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1875935382.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b930000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0b20d5dd0a07336ec38951c3e53f1488fe0e286846c9def34efe2aa9489a068d
                                                                • Instruction ID: eba2c519c140443ce4a914c1ab2ed4a0ee69598647e5b6b522b86de8fbc29ae9
                                                                • Opcode Fuzzy Hash: 0b20d5dd0a07336ec38951c3e53f1488fe0e286846c9def34efe2aa9489a068d
                                                                • Instruction Fuzzy Hash: CDD15972B2FA8E1FEB69ABA848745B57BE0EF16310B1901FED05DC70E3DA14A905C341
                                                                Function 00007FFD9B869750 Relevance: .1, Instructions: 142COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1875345551.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b860000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5a63ef6f26552bcc3699530edc00c25df6adbddc18e7a2ea549311c48c989716
                                                                • Instruction ID: 6c7cbe4fed52d09242e55cf32627aeee56439d6bd93b5bc75ef8d5c1227c3301
                                                                • Opcode Fuzzy Hash: 5a63ef6f26552bcc3699530edc00c25df6adbddc18e7a2ea549311c48c989716
                                                                • Instruction Fuzzy Hash: E641187190DB888FDB19DF5C9C1A6A9BFE0FB59310F4441AFD49983293CA64B805CBC2
                                                                Function 00007FFD9B74EF04 Relevance: .1, Instructions: 126COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1874762058.00007FFD9B74D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B74D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b74d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d6e84ed3fffeee72ad71f0a44a4a8d78856bcba7ecf892ca8ebdbe3c32feffd1
                                                                • Instruction ID: fab32f02666c23de7db4807ef870c122bd17f9e95c0ddf2f0f87c53ba1e3fda9
                                                                • Opcode Fuzzy Hash: d6e84ed3fffeee72ad71f0a44a4a8d78856bcba7ecf892ca8ebdbe3c32feffd1
                                                                • Instruction Fuzzy Hash: A841087190EBC44FE75A8B2898559523FF1EF57321B1A02DFD088CB1B3D625A845C792
                                                                Function 00007FFD9B86A49C Relevance: .1, Instructions: 99COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1875345551.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b860000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e1ba302e74b791bb30551edb85019828caf506822ba6c83dc31daebe3d379bf9
                                                                • Instruction ID: 50fa793811a4b5500a3611bfa411143c3b571c95e00221913d64e14f27105039
                                                                • Opcode Fuzzy Hash: e1ba302e74b791bb30551edb85019828caf506822ba6c83dc31daebe3d379bf9
                                                                • Instruction Fuzzy Hash: 9221283190CB4C8FDB59DBAC9C4A7E97FE0EB96321F04416BD049C3162D674A806CB92
                                                                Function 00007FFD9B8633B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1875345551.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b860000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                • Instruction ID: 6dd09209bda49ca184c5c3d1d8726fbee4921c8bb33108d55f737178623d1c86
                                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                • Instruction Fuzzy Hash: 4201A73020CB0C8FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41
                                                                Function 00007FFD9B93414D Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1875935382.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b930000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c3ba9c76b812426ca825957747f32be5abd44d94721cefb41bf3632dbc65b8c2
                                                                • Instruction ID: 699aea7c62afe44408f0ca43bb0d0d11dbe8981bec0420cd5f22c455cbcb4125
                                                                • Opcode Fuzzy Hash: c3ba9c76b812426ca825957747f32be5abd44d94721cefb41bf3632dbc65b8c2
                                                                • Instruction Fuzzy Hash: 8EF0B432B0D9094FDB68EA9CE4519A473E0EF6432071200BAE05DC71B3CA25EC40C745
                                                                Function 00007FFD9B934400 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1875935382.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b930000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 734352866a7486e52b30f3784d5e5ed2d6df21b7946a5c0d5923a187f31a029c
                                                                • Instruction ID: 9a9f51883b69a14212e9a8acd8e5b7baed6e3f3310c98d48672fe66f59baca2e
                                                                • Opcode Fuzzy Hash: 734352866a7486e52b30f3784d5e5ed2d6df21b7946a5c0d5923a187f31a029c
                                                                • Instruction Fuzzy Hash: EBF0BE32A0E5498FDBA8EA5CE0649A8B7E0FF0432071200BAE05DCB1A3DA25EC50CB40
                                                                Function 00007FFD9B9341D1 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1875935382.00007FFD9B930000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B930000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b930000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction ID: 7a67b3ad295e2fd24c513a90ad6d56110817720412821ad02882ed369853d283
                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction Fuzzy Hash: 5DE0483171C8089FDA78DA8CE0519E973E1EFA833171241BBD14EC7671C621ED51CB80

                                                                Non-executed Functions

                                                                Function 00007FFD9B868BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1875345551.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b860000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                                • API String ID: 0-2388461625
                                                                • Opcode ID: c2f823834917604030f606e4ac28406e5d14685f992dda4079306600a8d4c0a4
                                                                • Instruction ID: ac6247e52ec1394cebb45574eb75bdcf8a5de13140a774af2e2da03d14ef7c99
                                                                • Opcode Fuzzy Hash: c2f823834917604030f606e4ac28406e5d14685f992dda4079306600a8d4c0a4
                                                                • Instruction Fuzzy Hash: 9821D7B3B445154EC30537BCBD619E86B82DF5437834501F3E229CF593E994648B8A83
                                                                Function 00007FFD9B8689F2 Relevance: 7.6, Strings: 6, Instructions: 136COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.1875345551.00007FFD9B860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B860000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_7ffd9b860000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: N_^$N_^$N_^$N_^$N_^$N_^
                                                                • API String ID: 0-4064032852
                                                                • Opcode ID: 8be71635110030b4b3de05c222f2d8bcc8ca106a50dcbfffd257ad5919143449
                                                                • Instruction ID: be7177bd1225fa98f633b4880664030aa32d8022f7cd6f95a680a2a2644d4d3f
                                                                • Opcode Fuzzy Hash: 8be71635110030b4b3de05c222f2d8bcc8ca106a50dcbfffd257ad5919143449
                                                                • Instruction Fuzzy Hash: F9310993F0BAD65FE76A07695C764916FE0FF25A9934E03B7C1DACA053FC102A434112

                                                                Executed Functions

                                                                Function 00007FFD9B88644D Relevance: .7, Instructions: 710COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2034796708.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b885000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7c848382982c20b11279636c3b10d4698c3239941e833e709b992ee5e7b607f3
                                                                • Instruction ID: 1a5057ff9743bd69dc7e90e17582fd415b536af9b371b2b634014276826b3c6f
                                                                • Opcode Fuzzy Hash: 7c848382982c20b11279636c3b10d4698c3239941e833e709b992ee5e7b607f3
                                                                • Instruction Fuzzy Hash: C3D17070A18A4D8FDF98DF58C465AAD7BE1FF68300F15416AD41DD72A6CB34E881CB81
                                                                Function 00007FFD9B956605 Relevance: .4, Instructions: 444COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2035551450.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b950000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fd241bf53f6cfc86f802b7247b5d44f0720c5c1fabda6dabb786805dc9fdc360
                                                                • Instruction ID: 08f83858f8a90b95a090e58beefa7b49830c7502666d68e3a0d6cd75dcc2a61b
                                                                • Opcode Fuzzy Hash: fd241bf53f6cfc86f802b7247b5d44f0720c5c1fabda6dabb786805dc9fdc360
                                                                • Instruction Fuzzy Hash: 54D15872B2FA8E1FEB659BA848744B57BE0EF16310B1901FED85DC70E3DA58A905C341
                                                                Function 00007FFD9B889728 Relevance: .1, Instructions: 146COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2034796708.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b885000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a3acaa9b487b1220bfa6c724e56d2761d65f1696451612252fdd2f3a3fe62399
                                                                • Instruction ID: 1332406242ba44673bffe6048d6ec7f54671bf2e052ed0d3b70c1ed80f914437
                                                                • Opcode Fuzzy Hash: a3acaa9b487b1220bfa6c724e56d2761d65f1696451612252fdd2f3a3fe62399
                                                                • Instruction Fuzzy Hash: 2D413B71A1DF8C8FDB199F5C980A6A87BE0FB99710F44816FE05983292DB30B915C7C2
                                                                Function 00007FFD9B76E540 Relevance: .1, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2033752498.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b76d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 01e032752a72f34c792cc6f152358fd6a6271e0331ddc6fd967b48f11eca8af0
                                                                • Instruction ID: 04da63b36a49a64386e265c808fc0e77a2b4bdd146dc0e6db36112d5074cfb84
                                                                • Opcode Fuzzy Hash: 01e032752a72f34c792cc6f152358fd6a6271e0331ddc6fd967b48f11eca8af0
                                                                • Instruction Fuzzy Hash: 3D41F67140EBC48FE7569B289C559523FF0EF56320B1A06EFD088CB1B7D625A846C7A3
                                                                Function 00007FFD9B88A62C Relevance: .1, Instructions: 103COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2034796708.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b885000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 64a5911468e1fcbf77ca053600b5efef80e5f9752ee410897b19c86d7a94702e
                                                                • Instruction ID: 0b3352f720fc1f78a0055027a64134d1e6f0b5ad65ff97c21850646e8e4fabb2
                                                                • Opcode Fuzzy Hash: 64a5911468e1fcbf77ca053600b5efef80e5f9752ee410897b19c86d7a94702e
                                                                • Instruction Fuzzy Hash: D321283090DB4C4FDB59DFACD84A7E97BF0EB56321F04426BD049C3196DA74A416CB92
                                                                Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2034796708.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b880000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 413193d24df3f757485ab0e0d50f8aa31e6cb241fc643ffc8ade2b63558a4b97
                                                                • Instruction ID: 2fad08866fefb52328957f3e00cff12e708ace335f53a13def62d07b3219f6bf
                                                                • Opcode Fuzzy Hash: 413193d24df3f757485ab0e0d50f8aa31e6cb241fc643ffc8ade2b63558a4b97
                                                                • Instruction Fuzzy Hash: 4D01A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41
                                                                Function 00007FFD9B95414D Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2035551450.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b950000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 73208d643afbf7b1cfc6adcce7fbbff167340f30df8d33e7c9fb06cb49ef45f1
                                                                • Instruction ID: 9ad08cc1390b937209d0a4df953b93cc0300c88ae2f68bf341fcdcda93cbe343
                                                                • Opcode Fuzzy Hash: 73208d643afbf7b1cfc6adcce7fbbff167340f30df8d33e7c9fb06cb49ef45f1
                                                                • Instruction Fuzzy Hash: 02F0B432B4E5098FD7A8EA9CE4519E473E0EF64320B1240BAE05DC71B7CA25EC40C745
                                                                Function 00007FFD9B954400 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2035551450.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b950000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0b1654f8ffe5229d7c3060fa0439329dbed3a8b94e282ff8ca480883aef0deeb
                                                                • Instruction ID: 9d792c2df94ac560b199b1775279bf8e8c9e9bac5818266597d47f23454f6fd4
                                                                • Opcode Fuzzy Hash: 0b1654f8ffe5229d7c3060fa0439329dbed3a8b94e282ff8ca480883aef0deeb
                                                                • Instruction Fuzzy Hash: E4F0BE32A8E5498FD7A8EA9CE0609A877E0EF04320B5200BAE05DCB1A7DA25BC40C740
                                                                Function 00007FFD9B9541D1 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2035551450.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b950000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction ID: ef0e477c3a8d88fbc3791122f3f41a252fcdd9f92c2fd245001ca178e7a9b1aa
                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction Fuzzy Hash: A8E0123175C4089FDAB8DA8CE0519A973E1EBA832171141BBD14EC7675CA21ED518B80
                                                                Function 00007FFD9B88A2AA Relevance: .0, Instructions: 26COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2034796708.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b885000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 213a7bef4350c3f1bee2949e225e7fce9f90476923c174b99f125c2ca0013e85
                                                                • Instruction ID: 3802ec5be2d9221bbc0c928bb53893fd5c381f0b2bc07e657ec37962820c2307
                                                                • Opcode Fuzzy Hash: 213a7bef4350c3f1bee2949e225e7fce9f90476923c174b99f125c2ca0013e85
                                                                • Instruction Fuzzy Hash: 62E01235505A4D8FDB55DF18C8554E97BA0FF68201B01425BE41DC7161DB719554CBC2

                                                                Non-executed Functions

                                                                Function 00007FFD9B888BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2034796708.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b885000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: L_^6$L_^<$L_^F$L_^I$L_^J
                                                                • API String ID: 0-1031638419
                                                                • Opcode ID: da7d516d75abd78032b519bb2ac92cd7340e0a10e1fedcf7ffdcbf6ec35a9de0
                                                                • Instruction ID: e61fec6f2fdc8ca0d58765bdd7474afbc624d9f36ce0de74d903496018a01a16
                                                                • Opcode Fuzzy Hash: da7d516d75abd78032b519bb2ac92cd7340e0a10e1fedcf7ffdcbf6ec35a9de0
                                                                • Instruction Fuzzy Hash: 6C2144B77084161FD30677AEBC019EC7381CBD427634891B3D368CB553EA94A08B8AD1
                                                                Function 00007FFD9B8889FA Relevance: 5.1, Strings: 4, Instructions: 112COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000007.00000002.2034796708.00007FFD9B885000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B885000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_7_2_7ffd9b885000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: L_^$L_^$L_^$L_^
                                                                • API String ID: 0-2357752022
                                                                • Opcode ID: cd60807e7e053bc6c3b8d8927dd9a7a483a192f4a18515f2480f051c3519589d
                                                                • Instruction ID: 297e88a263455b2e1cf7e8d7f0572954dd814bc74714ff03e0b6a4409323a960
                                                                • Opcode Fuzzy Hash: cd60807e7e053bc6c3b8d8927dd9a7a483a192f4a18515f2480f051c3519589d
                                                                • Instruction Fuzzy Hash: EC31D3B3B0FAC61FE666477A88650597FA0FF2574470A52F6C1F48B0E3EE3569078242

                                                                Executed Functions

                                                                Function 00007FFD9B87644D Relevance: .7, Instructions: 712COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2242286146.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ffd9b870000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3ab089bb19195c6194f1b5ff177fbef17a5b6568ed3eeda4092623dcf5cb8017
                                                                • Instruction ID: e28e11547e13599ce28840c2395efb0932ebf27da4a6b3cf5acca63066c37516
                                                                • Opcode Fuzzy Hash: 3ab089bb19195c6194f1b5ff177fbef17a5b6568ed3eeda4092623dcf5cb8017
                                                                • Instruction Fuzzy Hash: 21D16271A18A4D8FDF98DF58C4A5AE97BE1FF58304F1541AAD40DD7296CA34E881CB80
                                                                Function 00007FFD9B946605 Relevance: .4, Instructions: 440COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2243743035.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ffd9b940000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f7754bc1a9c0c8a3a5d1c29aceb0b0afe4694601e9b04ce6bb94b104257c4714
                                                                • Instruction ID: 1ae9c211a99fac11afa99f868d9ef1976f904a37dee5812af2c5c4b21f0fbc6f
                                                                • Opcode Fuzzy Hash: f7754bc1a9c0c8a3a5d1c29aceb0b0afe4694601e9b04ce6bb94b104257c4714
                                                                • Instruction Fuzzy Hash: DFD147B1B2FB9E1FEB65A76848355B57BA2EF16310B1901FED05CC71E3DA18A804C341
                                                                Function 00007FFD9B879750 Relevance: .1, Instructions: 140COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2242286146.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ffd9b870000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b718ad95761020b5c3e312427e91005dfb38a009194722a0482df7f02be03225
                                                                • Instruction ID: 090439517ac4ca1e040b039a9a62380b4ba7dbefff03d8c5ed79f61a9afd2781
                                                                • Opcode Fuzzy Hash: b718ad95761020b5c3e312427e91005dfb38a009194722a0482df7f02be03225
                                                                • Instruction Fuzzy Hash: 6441253190DB884FDB19DF5C9C4A6A87FE0EB69310F0441AFE49983292DB74A915CBC2
                                                                Function 00007FFD9B75EB89 Relevance: .1, Instructions: 120COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2240820779.00007FFD9B75D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B75D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ffd9b75d000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4fa464fb72c7d62e594d22e6f50095ef503f1e2cdcecd1cc3a48bb1554ce0640
                                                                • Instruction ID: ea667266202ceb6f461f7df14606612eadae3a968bdde19c862f607de5dfc73f
                                                                • Opcode Fuzzy Hash: 4fa464fb72c7d62e594d22e6f50095ef503f1e2cdcecd1cc3a48bb1554ce0640
                                                                • Instruction Fuzzy Hash: 0C41297080EBC84FE7568B7898519523FF0EF56311B1506DFD089CB1B3D625A846C792
                                                                Function 00007FFD9B87A49C Relevance: .1, Instructions: 100COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2242286146.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ffd9b870000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9df6f6ed5b541ca5a76335b371e327341a8ec2ae22c0f10ad0973e88b6a8f474
                                                                • Instruction ID: ede5a085fa64bbde4128ad550d8c785caacc2e8025537ca7a73fd0984b6948eb
                                                                • Opcode Fuzzy Hash: 9df6f6ed5b541ca5a76335b371e327341a8ec2ae22c0f10ad0973e88b6a8f474
                                                                • Instruction Fuzzy Hash: B9210A3190C74C4FDB59DB9C988A7E97FE0EB96321F04416FD448C3156DA74A81ACB92
                                                                Function 00007FFD9B8733B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2242286146.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ffd9b870000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                • Instruction ID: 1c46359583042aa2c28a816d079173cda4d6b5a7b9d6a8aad60033ed8b8e5941
                                                                • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                • Instruction Fuzzy Hash: 1A01A73020CB0C4FD748EF0CE451AA6B3E0FB89324F10056DE58AC36A1DA32E882CB42
                                                                Function 00007FFD9B94414D Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2243743035.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ffd9b940000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4b1d29a05cbe94131f7288d06b3254fb24ecd7a62c84af0e7b36285e56e3325a
                                                                • Instruction ID: aad111a26bf1ac2f48bcc6a6a30f96f8369377abc679c72f55aa5dfd3b716d00
                                                                • Opcode Fuzzy Hash: 4b1d29a05cbe94131f7288d06b3254fb24ecd7a62c84af0e7b36285e56e3325a
                                                                • Instruction Fuzzy Hash: 37F0B432B0D5198FD768EA5CE4519A473E1EF6932071240BAE05DC71B3CE25EC40C745
                                                                Function 00007FFD9B944400 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2243743035.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ffd9b940000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ded7657ce0abbd0a570ed53966958153b27e02e9e1d904add3f653e20237c399
                                                                • Instruction ID: 6c3f7929290c06492aed511dc6b58d7ba5e71b65787ab02b4a89d57d70f9cbae
                                                                • Opcode Fuzzy Hash: ded7657ce0abbd0a570ed53966958153b27e02e9e1d904add3f653e20237c399
                                                                • Instruction Fuzzy Hash: 9EF0BE32B0E5598FD764EA5CE0609A877E0FF05320B5200BAE159CB5A3DA25AC40C740
                                                                Function 00007FFD9B9441D1 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2243743035.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ffd9b940000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction ID: fa26efae6fe42842cdbf314e9f6a501e304cd814d59014bdd6b30dca281e3e6a
                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction Fuzzy Hash: 98E01A31B1C8189FDA78DA4CE051AA973E2EBA932171241BBD14EC7671CA22ED518B80

                                                                Non-executed Functions

                                                                Function 00007FFD9B878BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000B.00000002.2242286146.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_11_2_7ffd9b870000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                • API String ID: 0-962139525
                                                                • Opcode ID: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
                                                                • Instruction ID: d5dce2930d0802b970be6dd60ea96c8c7422161757c06d0b04acb6a29f31a32e
                                                                • Opcode Fuzzy Hash: 32ba26589fa0e7a62dd8a312b3dc4cc8d233eb561294beb8cf2edc3a6d3793b8
                                                                • Instruction Fuzzy Hash: EF21C5B37445158ED305366DBC519E87781DF5437938603F3E029CF193F95864878A81

                                                                Executed Functions

                                                                Function 00007FFD9B871679 Relevance: .8, Instructions: 791COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2306449765.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f47d9f14ab80e24ef955a4b96f1cec2e6a9bf0547cbba7ffff8bbadf9e6c697b
                                                                • Instruction ID: f03b17e51948e6febcfb6c24e9b5cd79a5cf314a0012461a4981cc43ea03166a
                                                                • Opcode Fuzzy Hash: f47d9f14ab80e24ef955a4b96f1cec2e6a9bf0547cbba7ffff8bbadf9e6c697b
                                                                • Instruction Fuzzy Hash: 4432B761B28A4D4FE798FB6C88B9A7D77D2EF98304F4405BDE44DC32D6DE28A8418741
                                                                Function 00007FFD9B8716CC Relevance: .7, Instructions: 658COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2306449765.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4a50237096ba1692c2104135c6399eef230ea5eca6b8809044056acf4f2ab311
                                                                • Instruction ID: 33194b750418243343e08aa6b030885fd957acb63344e08dc8e8aa6410ba352b
                                                                • Opcode Fuzzy Hash: 4a50237096ba1692c2104135c6399eef230ea5eca6b8809044056acf4f2ab311
                                                                • Instruction Fuzzy Hash: 9612D661B29A4D4FEBA8FB6C84B96BD72D2EF9C304F4405BDE44EC32D6DD2868418741
                                                                Function 00007FFD9B870C2E Relevance: .2, Instructions: 219COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2306449765.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 47c24cf3de862468576045bdc1afb4c2a004973a12728d94880a43148aa4a92d
                                                                • Instruction ID: 117646bb6da8ee8550574a0303b0e68741cc2bed82b4f6ab9c4851339fe7cd51
                                                                • Opcode Fuzzy Hash: 47c24cf3de862468576045bdc1afb4c2a004973a12728d94880a43148aa4a92d
                                                                • Instruction Fuzzy Hash: 26514921B1EACA0FE766A778586A5747FD2DF8A22470900FBD08CC71EBCD1C6C428352
                                                                Function 00007FFD9B870558 Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2306449765.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6df09289540d8d5bb0da8daf270ba04bccef2c1adec52482e879daf08f9f5e5e
                                                                • Instruction ID: 51fa117bf1f50a931ba2b82e130adc2e2f707b0b2f5964d30bf1084b8d1ba1b9
                                                                • Opcode Fuzzy Hash: 6df09289540d8d5bb0da8daf270ba04bccef2c1adec52482e879daf08f9f5e5e
                                                                • Instruction Fuzzy Hash: 9631F521B189480FE798FF6C587A679A6D2EF8D314F0401BEE04EC32EBDD246C418341
                                                                Function 00007FFD9B8720CC Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2306449765.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d9bd725d02ceaf691fc7a3c32bc9355a5328a1d9dbcf0c784e320394689faf78
                                                                • Instruction ID: 1148053d884e50018c90933d4cfd132d29aa4a0e723c0cfb4365d57ef93201b3
                                                                • Opcode Fuzzy Hash: d9bd725d02ceaf691fc7a3c32bc9355a5328a1d9dbcf0c784e320394689faf78
                                                                • Instruction Fuzzy Hash: 5D31D221B189480FE798EF6C587A678A6D2EF9D314F0401BEE04EC32EBDD24AC428341
                                                                Function 00007FFD9B870ADC Relevance: .1, Instructions: 115COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2306449765.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 173df2752a48d7c7fd864bed2f2fcc7cc7256ba5bacb404fab402ec0037f8617
                                                                • Instruction ID: 17b2bb4432ddfdc3479388c5af07b3c180d44cd2dfa7095fb90fc5b290436034
                                                                • Opcode Fuzzy Hash: 173df2752a48d7c7fd864bed2f2fcc7cc7256ba5bacb404fab402ec0037f8617
                                                                • Instruction Fuzzy Hash: FF31E451B29D0A0FEB84BBBC587A7BDA2C2EF9C755F10017AE01DC32D6DD1868014782
                                                                Function 00007FFD9B870985 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2306449765.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d427888320423430f3ce5b3bf52ffde27625b2e193078f9a9f8f753cdba42a37
                                                                • Instruction ID: acb112e1bf80b11756505550919aadc9b25863d79335b22cb6d02f954f1b7ed3
                                                                • Opcode Fuzzy Hash: d427888320423430f3ce5b3bf52ffde27625b2e193078f9a9f8f753cdba42a37
                                                                • Instruction Fuzzy Hash: 8D318471F28A0D8FDB44EBA88871AED77A1FF88301F5405B9D059D32DADE3868418741
                                                                Function 00007FFD9B87082D Relevance: .1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2306449765.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 932313c519fa74a95ad43c39aba7187211f1901eb7bed85f04e7cce6155b62fe
                                                                • Instruction ID: 02930895c02e4493e721897853a2496b9b9f700f60ae93784fe6f80fd3d6c14e
                                                                • Opcode Fuzzy Hash: 932313c519fa74a95ad43c39aba7187211f1901eb7bed85f04e7cce6155b62fe
                                                                • Instruction Fuzzy Hash: D6212725B69A8D4FD744DF9888B19AC3F61FF882007A444B8D8CAC37CBED346950CB51
                                                                Function 00007FFD9B8715AC Relevance: .1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2306449765.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9ce8a12aedccc5b235093d5d13b8fb5c2bf8ad6cabb50718698cd65021795005
                                                                • Instruction ID: 2f11bf652e6685825fb340b46300cdf06454c551510744d426b953791fc54058
                                                                • Opcode Fuzzy Hash: 9ce8a12aedccc5b235093d5d13b8fb5c2bf8ad6cabb50718698cd65021795005
                                                                • Instruction Fuzzy Hash: 8D21B032E1591E8FEB54EB98C8E11EEB7B2FF88350F440176D40AE36E1EE3469418780
                                                                Function 00007FFD9B870888 Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2306449765.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9c43ae2181f0fb6f1bd95bd5f5f20ece8b65c715231d487f69586883c6e77d13
                                                                • Instruction ID: 1fcc8e0174d831337a8490797e65cd061e48a161811df87b108a70b8f6c3e775
                                                                • Opcode Fuzzy Hash: 9c43ae2181f0fb6f1bd95bd5f5f20ece8b65c715231d487f69586883c6e77d13
                                                                • Instruction Fuzzy Hash: F9219538764A4D4FD748EF98D4B59AD7F71FF88201BA045A8E89AC37C9EE3469508B40
                                                                Function 00007FFD9B87221C Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000F.00000002.2306449765.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_15_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 347dd097520c6bad81f1ceb641a4c756374fa5142d7abea3c415c78a4edf308e
                                                                • Instruction ID: 9aafc93edebe7a670ae0fd30ac61d58a9c2c27df8b15d4b96eee01197ba0bd8c
                                                                • Opcode Fuzzy Hash: 347dd097520c6bad81f1ceb641a4c756374fa5142d7abea3c415c78a4edf308e
                                                                • Instruction Fuzzy Hash: A9F02752F2DE1D0BEBA4FA6C58A68797BD0DBDC664B04092EEC4DC31E5ED14EA814342

                                                                Executed Functions

                                                                Function 00007FFD9B871679 Relevance: .8, Instructions: 791COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2391876552.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a013be66910a952d31c9728c914d5db99b56fd1d51a54b10692192382275cf20
                                                                • Instruction ID: e17769049edd79104c6a5d8aed53a35915a22e1ac93f2e45e3746bff3dddae68
                                                                • Opcode Fuzzy Hash: a013be66910a952d31c9728c914d5db99b56fd1d51a54b10692192382275cf20
                                                                • Instruction Fuzzy Hash: 8032C861B28A494FEB98FB7C88B9B7977D2FF98704F540579E04DC32D6DE28A8018741
                                                                Function 00007FFD9B8716CC Relevance: .7, Instructions: 658COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2391876552.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 38a5d6080ac1e0fca9a9d18f28365401b993ca057a83cf0eb79c3a47ee67b156
                                                                • Instruction ID: b98f7ec075c2c9a9b45907ceeef8eeb6478d0cf6d7cb61acb43115364205a603
                                                                • Opcode Fuzzy Hash: 38a5d6080ac1e0fca9a9d18f28365401b993ca057a83cf0eb79c3a47ee67b156
                                                                • Instruction Fuzzy Hash: 8212F761B29D494FEBA8FB7C84B9B7976D2EF9C704F5404B9E04EC32D6DD28A8018741
                                                                Function 00007FFD9B870C2E Relevance: .2, Instructions: 219COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2391876552.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: fe55c7eb81bd6fc74300296d1e828deec3cd84dd60ddd1df8e076154fcc767ab
                                                                • Instruction ID: 6029ad7ae8e1e0336b684d325f4c0729b790c4fae41a5b6f874c041d096d04c5
                                                                • Opcode Fuzzy Hash: fe55c7eb81bd6fc74300296d1e828deec3cd84dd60ddd1df8e076154fcc767ab
                                                                • Instruction Fuzzy Hash: 35514921B1EACA0FE766A778586A5747FD2DF8A62470900FBD08CC71EBCD1C6C428352
                                                                Function 00007FFD9B870558 Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2391876552.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 051a1173693881195e221a6e031175be4cb6cf453ef0ede5fa14431e9af24668
                                                                • Instruction ID: 515f3c10c3e5c7a1ba0865755bd6be6e14dd6a6a128b8c41d6b00f8c52524b23
                                                                • Opcode Fuzzy Hash: 051a1173693881195e221a6e031175be4cb6cf453ef0ede5fa14431e9af24668
                                                                • Instruction Fuzzy Hash: 6731F521B189480FE798FF6C586A679A6D2EF9D314F0401BEE04EC32EBDD24AC418341
                                                                Function 00007FFD9B8720CC Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2391876552.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4e7c996474e881b056eea2b43d7ddf9c8a84e6987df8a6c71e37e814f2534a17
                                                                • Instruction ID: 060e183f7929675d82fd467d1ef9c599db6e7f19a0869e06bb492c4fd4631b33
                                                                • Opcode Fuzzy Hash: 4e7c996474e881b056eea2b43d7ddf9c8a84e6987df8a6c71e37e814f2534a17
                                                                • Instruction Fuzzy Hash: A631B221B199490FE798EF6C587A679A6D2EF99314F0505BEE04EC32EBDD24AC428341
                                                                Function 00007FFD9B870ADC Relevance: .1, Instructions: 115COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2391876552.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 173df2752a48d7c7fd864bed2f2fcc7cc7256ba5bacb404fab402ec0037f8617
                                                                • Instruction ID: 17b2bb4432ddfdc3479388c5af07b3c180d44cd2dfa7095fb90fc5b290436034
                                                                • Opcode Fuzzy Hash: 173df2752a48d7c7fd864bed2f2fcc7cc7256ba5bacb404fab402ec0037f8617
                                                                • Instruction Fuzzy Hash: FF31E451B29D0A0FEB84BBBC587A7BDA2C2EF9C755F10017AE01DC32D6DD1868014782
                                                                Function 00007FFD9B870985 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2391876552.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 976ca0ee70bb23b7fb0908350bca6593635df42f33c26844de536ae1d105d5d6
                                                                • Instruction ID: 933d049c9e703c0eaa49365dca9996d91a005c309ff0f208f8ef701cc0869dfe
                                                                • Opcode Fuzzy Hash: 976ca0ee70bb23b7fb0908350bca6593635df42f33c26844de536ae1d105d5d6
                                                                • Instruction Fuzzy Hash: 34318471F2894E8FEB48EBA88875AED77E1FF98704F600575D019D32DADE38A8418741
                                                                Function 00007FFD9B87082D Relevance: .1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2391876552.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e38795ebb2dc54e64207c8fa7b328f580006ba525f711466942190199ae3c522
                                                                • Instruction ID: d50f806e1d368365b96a0e38bef91bf64f7f5677532b7d8091e88484941ec741
                                                                • Opcode Fuzzy Hash: e38795ebb2dc54e64207c8fa7b328f580006ba525f711466942190199ae3c522
                                                                • Instruction Fuzzy Hash: 68212921B599CA4FEB58EB9888B59A83FA1FF88A047B044F4D44D837CFDD34A900C791
                                                                Function 00007FFD9B8715AC Relevance: .1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2391876552.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 16cf3c717e4b6dbf37072536e6ca5f07ed8ad67fadad9f44ed3a3064196e352c
                                                                • Instruction ID: c83cc296697510537e62490b2cfc092767097c01096153edb19f392eda8b1b82
                                                                • Opcode Fuzzy Hash: 16cf3c717e4b6dbf37072536e6ca5f07ed8ad67fadad9f44ed3a3064196e352c
                                                                • Instruction Fuzzy Hash: 1021B032E1590E8FEB54EB98C8E51EEB7B2FF98350F400176D40AA36E1EE3469418780
                                                                Function 00007FFD9B870888 Relevance: .1, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2391876552.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 275792068cb6a88047926ade31ed6938f4125b223eb40f02a888fa73dc7ba8f8
                                                                • Instruction ID: f1c175a2ab952131c7e1ac115935b53bae63b0cc7a511fef519d7a01a91f0638
                                                                • Opcode Fuzzy Hash: 275792068cb6a88047926ade31ed6938f4125b223eb40f02a888fa73dc7ba8f8
                                                                • Instruction Fuzzy Hash: D72198307649CE4FE75CEB5894B99A97FA1FF98601BA045A4E41EC37CDEE34A9008780
                                                                Function 00007FFD9B87221C Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2391876552.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffd9b870000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 33f63daa151b0181b6fb7db7e33297040031d7441ac4038ecdaa24a10e06263a
                                                                • Instruction ID: 5295108ddb80f549aadb3b31e9dacf430805570d0b23046a85f7e0ec188d7d51
                                                                • Opcode Fuzzy Hash: 33f63daa151b0181b6fb7db7e33297040031d7441ac4038ecdaa24a10e06263a
                                                                • Instruction Fuzzy Hash: 08F02712F2DE590BFB94F76C58A68797BD0DBE8664B04052AE84DC31A5ED14EA814382

                                                                Executed Functions

                                                                Function 00007FFD9B891679 Relevance: .8, Instructions: 816COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2478944930.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffd9b890000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e53f97e3c24b6e0b2ecf2f080393d501143584ef693cab04584031bc02e947d7
                                                                • Instruction ID: 9b67775392055c136154db2bd678db34b7acf1918a1d7aaf06e9bd8e3140a64f
                                                                • Opcode Fuzzy Hash: e53f97e3c24b6e0b2ecf2f080393d501143584ef693cab04584031bc02e947d7
                                                                • Instruction Fuzzy Hash: FC42E721F2DA494FEB98FB6C887567977D2FF98704F4405B9E01EC32DADE29A8018741
                                                                Function 00007FFD9B8916B9 Relevance: .7, Instructions: 667COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2478944930.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffd9b890000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 198d4cd9b6bfab2b74bbe4cf03a1c799f653b1c6b465dfd4c1352fc175671ee5
                                                                • Instruction ID: 989bb7671419841f0421927af1c010c0c750d59f4afe5732ccb3b569acbac2ea
                                                                • Opcode Fuzzy Hash: 198d4cd9b6bfab2b74bbe4cf03a1c799f653b1c6b465dfd4c1352fc175671ee5
                                                                • Instruction Fuzzy Hash: 6F22D621F2DA495FEBA8F768887567977D2FF9C700F4501B9E01EC32DADE29A8018741
                                                                Function 00007FFD9B89204D Relevance: .2, Instructions: 196COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2478944930.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffd9b890000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 807053ab018515ee521e196dccd80d94e7ab47518a62ab8b1e2459a5c3eebfca
                                                                • Instruction ID: 6e61ade64fc49e77d0f3408aa1b6921efedc777733f1c2b30d8ad355e669be2b
                                                                • Opcode Fuzzy Hash: 807053ab018515ee521e196dccd80d94e7ab47518a62ab8b1e2459a5c3eebfca
                                                                • Instruction Fuzzy Hash: 81510020B1E6C90FEB9AABB848746657FE1DF8B215B0800FBE089C71E7DD085806C342
                                                                Function 00007FFD9B891165 Relevance: .6, Instructions: 617COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2478944930.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffd9b890000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ca7237f8cc0bb1d445b46f2daf883d1cd0544403b546ba76688a876e87b7d980
                                                                • Instruction ID: a8a24080242d053d09cedd45078444f92bcbd8cd433397ea662a01e80aa0efb0
                                                                • Opcode Fuzzy Hash: ca7237f8cc0bb1d445b46f2daf883d1cd0544403b546ba76688a876e87b7d980
                                                                • Instruction Fuzzy Hash: 4A410A32E0EA8A5FDB12E7A8C8B10E97FB1EF45210B0501F7D099DB1F3ED2868458741
                                                                Function 00007FFD9B891190 Relevance: .6, Instructions: 581COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2478944930.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffd9b890000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: dced734af7461d92fa1a8e3dc0b7a8d89fecba89e8ca8a6f82793f04e938882d
                                                                • Instruction ID: 46db35f99a45f4fe3867e359a077afcc946b1a1e21cb8c9319d95be215f2fc10
                                                                • Opcode Fuzzy Hash: dced734af7461d92fa1a8e3dc0b7a8d89fecba89e8ca8a6f82793f04e938882d
                                                                • Instruction Fuzzy Hash: D231E722A0EA9A5FEB16E7A8CCB10F97FB1FF45250B0501B7D089DB1F3ED2968458741
                                                                Function 00007FFD9B890C2E Relevance: .2, Instructions: 200COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2478944930.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffd9b890000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d353a7ae8810c0e55259e2bafe79ed2d2f1f0af0036bed9871f4633f40dbea89
                                                                • Instruction ID: e95667b7e700dd0a5661fc56501099c68d115e711ae7b692fc6edaafcee1650d
                                                                • Opcode Fuzzy Hash: d353a7ae8810c0e55259e2bafe79ed2d2f1f0af0036bed9871f4633f40dbea89
                                                                • Instruction Fuzzy Hash: A3513721B1EACA0FE766A77848265753FE2DF8A61470901FBD09CC71EBCD1DAC428352
                                                                Function 00007FFD9B890558 Relevance: .1, Instructions: 137COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2478944930.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffd9b890000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 185d58780c25c4a42f87d29560803dcf200da96c7d7783099949c6854dcd35f0
                                                                • Instruction ID: 75ab959550465051fe929f5ce6062e7fb0f75d2e30374443837428ca4d35b67c
                                                                • Opcode Fuzzy Hash: 185d58780c25c4a42f87d29560803dcf200da96c7d7783099949c6854dcd35f0
                                                                • Instruction Fuzzy Hash: DE31B521B189490FE798FF6C586A679A6D2EF9C315F0501BEE04EC32EBDD68AC418341
                                                                Function 00007FFD9B890AC9 Relevance: .1, Instructions: 126COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2478944930.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffd9b890000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 293b520a7acdcc274fdb576cbbadc67bf2af30a53abff189ed1d34f7fe2c6bf9
                                                                • Instruction ID: e242521245a7e0d56ac8b8ec0f917783b4eb4c0ddae0acd3ef5fc464fe85af41
                                                                • Opcode Fuzzy Hash: 293b520a7acdcc274fdb576cbbadc67bf2af30a53abff189ed1d34f7fe2c6bf9
                                                                • Instruction Fuzzy Hash: 8C31F661F199494FEB84BBBC5C2A7BD77D2EF98711F0402B6E00DC32D6DE1868018782
                                                                Function 00007FFD9B890985 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2478944930.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffd9b890000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2bc87a74c493678ae6dce68fc0614bf7cdc1310f48375d3c9a0a3477c25137a5
                                                                • Instruction ID: 85bbecf730e9445d58dcd43bb55601fe1797379cc17fd25a1e2d3b8e00492006
                                                                • Opcode Fuzzy Hash: 2bc87a74c493678ae6dce68fc0614bf7cdc1310f48375d3c9a0a3477c25137a5
                                                                • Instruction Fuzzy Hash: 04319530F2890D8FDB48FBA888716BD77A2FF88304F900575E019D32CAEE39A4418751
                                                                Function 00007FFD9B890857 Relevance: .1, Instructions: 87COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2478944930.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffd9b890000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e65e3516658710fd0bceb1bc80e01616cb41e75486321eebeed8d1b0754c2c1e
                                                                • Instruction ID: 15dd3efe8e827543d906de2ba9e46f427aa0124ebdbca604727cf5bebe974a23
                                                                • Opcode Fuzzy Hash: e65e3516658710fd0bceb1bc80e01616cb41e75486321eebeed8d1b0754c2c1e
                                                                • Instruction Fuzzy Hash: 0921B820B2990D8FD78EFBA884719B97BA2FF88204B8044B5D419C33DFFD39A9018751
                                                                Function 00007FFD9B89082D Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2478944930.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffd9b890000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 81dd157885d3a1cd34f487fcc2830a6b4ae170a496e5720623a589b85c612d7d
                                                                • Instruction ID: 47bfe1e4091fa0c6908c5b1b459bfab6d847998a0a1ea41a3b1826434313e46a
                                                                • Opcode Fuzzy Hash: 81dd157885d3a1cd34f487fcc2830a6b4ae170a496e5720623a589b85c612d7d
                                                                • Instruction Fuzzy Hash: 0E219620B2990D8FDB8AEBE888719B97B62FF8C20478044B4D419933DFFD39A9018751
                                                                Function 00007FFD9B892201 Relevance: .1, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2478944930.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffd9b890000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 21853b278162499bb802447e16438012b56808f4645b8536f6b35a89ddae141e
                                                                • Instruction ID: 2a0ace76747099ba9ca806bcde4f7ad07abd40df55a4fab29f9f9b9cd7795525
                                                                • Opcode Fuzzy Hash: 21853b278162499bb802447e16438012b56808f4645b8536f6b35a89ddae141e
                                                                • Instruction Fuzzy Hash: 64017511A0DBD90FEB55A7BC4C318357FE0DF9536070506B7E494C70F7E90495418352

                                                                Executed Functions

                                                                Function 00007FFD9B881679 Relevance: .8, Instructions: 816COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2923619442.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b880000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2fa90f148f566516dcaa42bbdc493f78fa1251e780b9987b687419d98767b5ff
                                                                • Instruction ID: 42221fb5674e9665e87eab3c4f7fc505c99fb18077db2b1da8573120077ba1de
                                                                • Opcode Fuzzy Hash: 2fa90f148f566516dcaa42bbdc493f78fa1251e780b9987b687419d98767b5ff
                                                                • Instruction Fuzzy Hash: 4942C461B29E494FEBA8FB6C887567973D2EF9C300F4545B9E05EC32D6DE38A8018741
                                                                Function 00007FFD9B8816B9 Relevance: .7, Instructions: 667COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2923619442.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b880000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e0b05a6c40d4d629de5c4daf23608823081d71c1198ab251a52378dd3f4be2c0
                                                                • Instruction ID: 131cd1604057e4de434608bcc5dec391766b49ee11934bbf658f878f00fcbb70
                                                                • Opcode Fuzzy Hash: e0b05a6c40d4d629de5c4daf23608823081d71c1198ab251a52378dd3f4be2c0
                                                                • Instruction Fuzzy Hash: F322D561B29E494FEBA8F76C887967973D2EF9C300F4545B9E05EC32D6DE38A8018741
                                                                Function 00007FFD9B881165 Relevance: .6, Instructions: 618COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2923619442.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b880000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ba0c6ceca2d20bb04beff30fbe9912508295e546d826042c2501b4a9b8be1f88
                                                                • Instruction ID: 6556d566ffc1fa9f04614a889f808f22f6775bfab6b2f08027c4fc9950725ebc
                                                                • Opcode Fuzzy Hash: ba0c6ceca2d20bb04beff30fbe9912508295e546d826042c2501b4a9b8be1f88
                                                                • Instruction Fuzzy Hash: 4241CA22E0AA8D4FDB56F7A8D8B10F97FB1EF49210B0501F7C096C71E3ED6869458751
                                                                Function 00007FFD9B881190 Relevance: .6, Instructions: 583COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2923619442.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b880000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c0023f219c81c67d1e58c2dc40f74bdddb8317896e74979696887a8f56155c29
                                                                • Instruction ID: 80338cfd5de706328f603f8375bd78561e60a4f2db1e7bb1bc51e09866d496ca
                                                                • Opcode Fuzzy Hash: c0023f219c81c67d1e58c2dc40f74bdddb8317896e74979696887a8f56155c29
                                                                • Instruction Fuzzy Hash: 8531E626E0AA9E4FDB06F7A8D8B10F97BB1EF49210B4801F7C096C71E3ED6868458751
                                                                Function 00007FFD9B880C2E Relevance: .2, Instructions: 219COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2923619442.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b880000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f5497522502be20a0d1ca30debb2c8ab5b57ad97a65f1daed7b8c31ea8697d9b
                                                                • Instruction ID: cd2ebfb25706802cdb82e0b0a9727857a316d7e2d33127e6684049fb48cdd27d
                                                                • Opcode Fuzzy Hash: f5497522502be20a0d1ca30debb2c8ab5b57ad97a65f1daed7b8c31ea8697d9b
                                                                • Instruction Fuzzy Hash: 43514921B1FACA0FE366AB7858265747BD2DF8A21070901FBD49CC71E7CD1C6C428352
                                                                Function 00007FFD9B880AC9 Relevance: .1, Instructions: 126COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2923619442.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b880000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3e1f2e39304b18b8627184ca1ab7c5934274b63ae8fafe26f30d637b68df6689
                                                                • Instruction ID: 3eb45bc1258609a5a213749f8ded5f47a32231a36be7f781dd16a94cce913935
                                                                • Opcode Fuzzy Hash: 3e1f2e39304b18b8627184ca1ab7c5934274b63ae8fafe26f30d637b68df6689
                                                                • Instruction Fuzzy Hash: F231D252B19D0A0FEB44BBAC5C297B9B3D2EF98611F0402B6E01DC32D6DE2868418782
                                                                Function 00007FFD9B880985 Relevance: .1, Instructions: 111COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2923619442.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b880000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 89f076ef256215266229c14ea311339140674abc67bff95f3a9ed50e06e77571
                                                                • Instruction ID: 3803384226e6bd7f8be56ffefaf521cdca2d0356b9f4baed34088a5db18d9f6e
                                                                • Opcode Fuzzy Hash: 89f076ef256215266229c14ea311339140674abc67bff95f3a9ed50e06e77571
                                                                • Instruction Fuzzy Hash: 5731A475B6890D8FDB48EBA88871AAD77E1FF98300F914575D01AC32CADE386541C751
                                                                Function 00007FFD9B880868 Relevance: .1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2923619442.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b880000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 210a28c0d55447c22a5ac60c45fab32a9441fda06acf88646f2925068d2f829b
                                                                • Instruction ID: af221b8f66475dcbd9388f792f931a30f4abf99df9812a6ab2dcc1147a78c40c
                                                                • Opcode Fuzzy Hash: 210a28c0d55447c22a5ac60c45fab32a9441fda06acf88646f2925068d2f829b
                                                                • Instruction Fuzzy Hash: B321D675BA89094FD748EB5898B09B97FB2FF88300BC184A4D41AC33CBEE786944C750
                                                                Function 00007FFD9B88082D Relevance: .1, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000013.00000002.2923619442.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_19_2_7ffd9b880000_System User.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 56a50270aa589500b149ee85dc037a3e581f27a5aaee3705980210f4d661d38f
                                                                • Instruction ID: 0c0b5c3978437d004853ce6e3f205592b4f0a94f09ebb4b70fd444b87193c0f0
                                                                • Opcode Fuzzy Hash: 56a50270aa589500b149ee85dc037a3e581f27a5aaee3705980210f4d661d38f
                                                                • Instruction Fuzzy Hash: 00212925B9D9494FD748DB9898719B83F61FF883007C184B4D41AC33CBEE786945C761